Lab – Configuring and Verifying VTY Restrictions

Cisco Packet Tracer

Topology

Addressing Table

Step 1: Configure the PC-A and PC-B network settings according to the Addressing Table.

  • PC-A

PC-A>ipconfig

FastEthernet0 Connection:(default port)

   Link-local IPv6 Address.........: FE80::2E0:8FFF:FE25:6AE3
   IP Address......................: 192.168.1.3
   Subnet Mask.....................: 255.255.255.0
   Default Gateway.................: 192.168.1.1

PC-A>
  • PC-B

PC-B>ipconfig

FastEthernet0 Connection:(default port)

   Link-local IPv6 Address.........: FE80::290:21FF:FED3:B45A
   IP Address......................: 192.168.0.3
   Subnet Mask.....................: 255.255.255.0
   Default Gateway.................: 192.168.0.1

PC-B>

Step 2: Configure basic settings for each router.

  • R1

R1>enable 
R1#configure terminal 
R1(config)#int fa0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown 
R1(config-if)#exit
R1(config)#int fa0/1
R1(config-if)#ip address 192.168.0.1 255.255.255.0
R1(config-if)#no shutdown 
R1(config-if)#exit
R1(config)#enable secret cisco
R1(config)#username admin privilege 15 secret cisco
R1(config)#line vty 0 4
R1(config-line)#login local 
R1(config-line)#exit
R1(config)#service password-encryption 
R1(config)#no ip domain-lookup 
R1(config)#

Step 3: Configure and apply a standard named ACL.

  • From global configuration mode, view the command options under ip access-list by using a space and a question mark.

R1(config)#ip access-list ?
  extended  Extended Access List
  standard  Standard Access List
  • View the command options under ip access-list standard by using a space and a question mark.

R1(config)#ip access-list standard ?
  <1-99>  Standard IP access-list number
  WORD    Access-list name
  • Add ADMIN-MGT to the end of the ip access-list standard command and press Enter. You are now in the standard named access-list configuration mode (config-std-nacl).

R1(config)#ip access-list standard ADMIN-MGT
R1(config-std-nacl)#
  • Enter a question mark to view your command options.

R1(config-std-nacl)#?
  <1-2147483647>  Sequence Number
  default         Set a command to its defaults
  deny            Specify packets to reject
  exit            Exit from access-list configuration mode
  no              Negate a command or set its defaults
  permit          Specify packets to forward
  remark          Access list entry comment
  • Create a permit ACE for Administrator PC-A at 192.168.1.3, and an additional permit ACE to allow other reserved administrative IP addresses from 192.168.1.4 to 192.168.1.7.

R1(config-std-nacl)#permit host 192.168.1.3
R1(config-std-nacl)#permit 192.168.1.4 0.0.0.3
R1(config-std-nacl)#exit
R1(config)#
  • Now that the named ACL is created, apply it to the vty lines.

R1(config)#line vty 0 4
R1(config-line)#access-class ADMIN-MGT ?
  in   Filter incoming connections
  out  Filter outgoing connections
R1(config-line)#access-class ADMIN-MGT in
R1(config-line)#

Part 4: Verify the Access Control List Using Telnet

  • Open a command prompt on PC-A and verify that you can communicate with the router by issuing a ping command.

PC-A>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=0ms TTL=255
Reply from 192.168.1.1: bytes=32 time=0ms TTL=255
Reply from 192.168.1.1: bytes=32 time=0ms TTL=255

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

PC-A>
  • Using the command prompt on PC-A, launch the Telnet client program to telnet into the router.

PC-A>telnet 192.168.1.1
Trying 192.168.1.1 ...Open


User Access Verification

Username: admin
Password: 
R1#
  • Change the IPv4 address to 192.168.1.100 on PC-A. Attempt to telnet into R1 at 192.168.1.1 again. Was the Telnet session successful?

PC-A>telnet 192.168.1.1
Trying 192.168.1.1 ...
% Connection refused by remote host
PC-A>

Keywords

yaser rahmati , cisco , ccna , یاسر رحمتی , vty , telnet , ssh , ipconfig , ping , ACL , no ip domain-lookup , ip access-list standard , Access Control List

Last updated