The Elusive “access-class out” Command

 “Access-class out” seems to never work as expected.  At first, it seems that the reason why this the case is because you must telnet into the router first.  In other words, it has no effect to telnet connections that are attempted from a console session.  Well that’s not completely true.  Access-class out is a restriction that is applied to an exec process.  An exec process is spawned when you attach to a line (aux, vty, con).  So if we are wanting to restrict where the exec process on line con 0 can go, we must attach the access-class out to “line con 0″.  If we desire to control where a telnet session can telnet back out to, that restriction must be applied to the “line vty x y”. 

Anthony Sequeira has put together a great video demonstrating how to deny an outbound telnet session when the exec process is started from an inbound telnet session.  Below the video, you can find a sample of my testing using a console connection as opposed to an inbound telnet session.

I decided to expand on Anthony’s example and use it on the console line.  This helped my get my mind around the fact that it is a restriction on the process as opposed to the vty ports being considered the source of the secondary telnet session.

RouterB#telnet 10.23.23.1
Trying 10.23.23.1 … Open

Password required, but none set <<Outbound Telnet Still Permitted (message from remote router)

[Connection to 10.23.23.1 closed by foreign host]
RouterB#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
RouterB(config)#access-list 1 deny any
RouterB(config)#line con 0
RouterB(config-line)#access-class 1 out
RouterB(config-line)#exit
RouterB(config)#exit
RouterB#telnet 10.23.23.1
Trying 10.23.23.1 …
% Connections to that host not permitted from this terminal
RouterB#

RouterB#sho run | sec con|access-list
Building configuration…
Current configuration : 1109 bytes
access-list 1 deny   any
line con 0
access-class 1 out

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in CCNA, Certification, Network, Security, Technology and tagged , . Bookmark the permalink.

Leave a Reply