The Elusive “access-class out” Command

 “Access-class out” seems to never work as expected.  At first, it seems that the reason why this the case is because you must telnet into the router first.  In other words, it has no effect to telnet connections that are attempted from a console session.  Well that’s not completely true.  Access-class out is a restriction that is applied to an exec process.  An exec process is spawned when you attach to a line (aux, vty, con).  So if we are wanting to restrict where the exec process on line con 0 can go, we must attach the access-class out to “line con 0”.  If we desire to control where a telnet session can telnet back out to, that restriction must be applied to the “line vty x y”. 

Anthony Sequeira has put together a great video demonstrating how to deny an outbound telnet session when the exec process is started from an inbound telnet session.  Below the video, you can find a sample of my testing using a console connection as opposed to an inbound telnet session.

I decided to expand on Anthony’s example and use it on the console line.  This helped me get my mind around the fact that it is a restriction on the process as opposed to the vty ports being considered the source of the secondary telnet session.

Trying ... Open
Password required, but none set <<Outbound Telnet Still Permitted (message from remote router)
[Connection to closed by foreign host]
RouterB#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
RouterB(config)#access-list 1 deny any
RouterB(config)#line con 0
RouterB(config-line)#access-class 1 out
Trying ...
% Connections to that host not permitted from this terminal
RouterB#sho run | sec con|access-list
Building configuration...
Current configuration : 1109 bytes
access-list 1 deny   any
line con 0
access-class 1 out

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Career. Bookmark the permalink.

6 Responses to The Elusive “access-class out” Command

  1. Luis says:

    Hello Paul, after reading your post and testing around with a 2960 at home I have one question that I was hoping you can help me to figure out. Is there any scenario in which you will use an access-class with the out keyword on the console port?

    – Luis

  2. Luis says:

    Sorry, I meant an “access-class” with the “in” keyword on the console port.

    – Luis

  3. Pingback: Understanding 'transport output' and 'access-class' - PacketU

  4. Anonymous says:

    I agree about con 0 line but disagree about aux 0. Try setting line aux 0 transport input telnet and then telnet to the router IP address with port 2001. I hope that the result don’t suprise you too much. 🙂

    • Thanks for the feedback. I don’t have a physical router up at the moment that I can test reverse telnet behavior with. Feel free to post what you see. Whether it works or not wouldn’t surprise me. This post was purely about outbound (from the perspective of the exec session) and “access-class” out on the lines. Here I don’t make a claim on how the “in” counterpart works. I don’t know whether it applies only when exec is launched or when reverse telnet proxies it through (I’ll test when I can).

      Outbound initiated sessions were further tested in this post–

Comments are closed.