Re: ACL "in" for filtering Telnet

From: Pamela Forsyth (pforsyth@xxxxxxxxx)
Date: Wed Jun 14 2000 - 08:11:43 GMT-3

• Next message: Dave Gingrich: "Re: ACL "in" for filtering Telnet"
• Previous message: Scott Morris: "RE: load balance outof PIX"
• Maybe in reply to: ccie lab: "ACL "in" for filtering Telnet"
• Next in thread: Dave Gingrich: "Re: ACL "in" for filtering Telnet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
James,

It is difficult to see what your "issue" is, but it seems you need to go
back and examine the syntax of IP extended access lists. THere are both
source and destination port numbers to be considered here, and you need to
be aware of what appears in both source and destination port fields in the
TCP header of your packets as you try to telnet back and forth between the
routers. You might also want to review the use of the "established"
keyword.

This is basic ACRC material. When I teach the classes I draw a diagram of
what appears in the packet headers (source/destination port numbers, SYN &
ACK bits) as the 3-way handshake occurs. It clarifies things quite a lot.

Pamela
CCIE #3439

On Mon, 12 Jun 2000, ccie lab wrote:

> Here is the issure which seems to be simple but couldn't be solved by only
> using ACL "in" on all intrfaces.
>
> R1:s1 ---- s0:R2:s1 ----- s0:R3 (w/EIGRP routing protocol)
> |---------------------->
> R1 telnets to R3
>
> apply ACL 100 on R2 only !
> acl 100 permit eigrp any any
> acl 100 permit TCP any any eq telnet
>
> Following are the uotput:
>
> Telnet worked fine without applying any ACLs on any interface of R2.
> If applying "acl 100" on s0:R2 as "in" only, telnet worked fine.
>
> If applying "acl 100" on R2:s1 as "in" only, terlnet won't work at all.
> From the "debug ip pack " on R2, the package from R3:s0 (source ip) to
> R1:s1 (destination ip) was denied ! It seems to be the returned path
> for the telnet was not working on R2 even it had been permitted --
> (...TCP any any eq telnet)!
>
> What I had done to try solving this issure are:
> 1. using IOS 11.2(20), ISO 12.0 -- same result.
> 2. using different routers (c25xx) -- same result.
> 3. Using http ( TCP 80 ) in stead of telnet (TCP 23) in ACL -- same
> results.
> 4. Looking for Cisco web site and CD documents -- no clue at all.
>
> Putting this issure on this group is the last resort to find the answer
> or to find something wrong either with cisco IOS (hope not) or there
> might be something I did not really understand about the "in" ACL.
>
> Thanks for your time reading this question !
>
>
> James Z
> 7:30 p.m.
> Mon.
>
>

• Next message: Dave Gingrich: "Re: ACL "in" for filtering Telnet"
• Previous message: Scott Morris: "RE: load balance outof PIX"
• Maybe in reply to: ccie lab: "ACL "in" for filtering Telnet"
• Next in thread: Dave Gingrich: "Re: ACL "in" for filtering Telnet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:42 GMT-3