RE: Help on 3550

From: Ouellette, Tim (tim.ouellette@eds.com)
Date: Sun Oct 13 2002 - 06:06:04 GMT-3

okay, so an extended ACL works with any any

I understand now what your doing.

Can you try something like this

access-list 101 permit tcp any gt 1023 host 148.90.20.2 eq telnet

any apply that to your line vty 0 4

and debug ip packet..

it appears that the telnet is reaching the line because I see the following
> 8w1d: TCP: sent RST to 148.4.2.2:11021 from
> 148.4.20.2:23

the RST bit or Reset bit is when your telnet is denied. Atleast I think so.
Do you get an immediate deny or does it take awhile to timeout?

Tim

-----Original Message-----
From: SRINIVAS TENNETI [mailto:st_552587@yahoo.com]
Sent: Sunday, October 13, 2002 4:39 AM
To: Ouellette, Tim
Subject: RE: Help on 3550

Hi Tim,

Yes I am able to ping the 148.4.20.2.It looks like an
ACL problem. The IP permit any any worked. The TCP any
any is not working. Here is the config when it does
not work

Switch config
interface Vlan2
 ip address 148.4.20.2 255.255.255.0
!
ip classless
ip http server
!
!
!
access-list 101 permit tcp any any established
!
line con 0
line vty 0 4
 access-class 101 in
 no login
line vty 5 15
 access-class 101 in
 no login

Router config

ip telnet source-interface Loopback0
no ip domain-lookup
ip host foo 148.4.20.2
!
!
!
!
interface Loopback0
 ip address 148.4.2.2 255.255.255.0
!
interface Ethernet0
 ip address 148.4.20.1 255.255.255.0
 no ip mroute-cache

Thanks,

Srinivas

--- "Ouellette, Tim" <tim.ouellette@eds.com> wrote:
> Try this. Do a permit ip any any and see if your
> telnet works, that way we
> know it's an ACL problem.
>
> Can you send the relevant access-list config and
> interface config. Can you
> ping that 148.4.20.2 address. Does the other side
> have any ACL's? Is there
> any inbound ACL's on the 3550?
>
> Maybe try the established keyword. I doubt this
> will work but just
> guessing...
>
> Tim
>
>
> -----Original Message-----
> From: SRINIVAS TENNETI [mailto:st_552587@yahoo.com]
> Sent: Sunday, October 13, 2002 4:07 AM
> To: Ouellette, Tim
> Subject: RE: Help on 3550
>
>
> Tim,
>
> Thanks for the help. Here are the debugs for IP and
> TCP on the cat3550:
> 8w1d: datagramsize=64, IP 0: s=148.4.2.2 (Vlan2),
> d=148.4.20.2, totlen 44, fragm
> ent 0, fo 0, rcvd 1
> 8w1d: tcp0: I LISTEN 148.4.2.2:11021 148.4.20.2:23
> seq
> 2450020558
> OPTS 4 SYN WIN 4128
> 8w1d: TCP: sending RST, seq 0, ack 2450020559
> 8w1d: TCP: sent RST to 148.4.2.2:11021 from
> 148.4.20.2:23
> 8w1d: datagramsize=48, IP 3266: s=148.4.20.2
> (local),
> d=148.4.2.2 (Vlan2), totle
> n 40, fragment 0, fo 0, sending
> 8w1d: datagramsize=60, IP 3266: s=148.4.20.2
> (local),
> d=148.4.2.2 (Vlan2), totle
> n 40, fragment 0, fo 0, sending full packet
>
> S7#sh ip access-lists
> Extended IP access list 101
> permit tcp any host 148.4.20.2 eq telnet log
>
> I have put the log but nothing matches it. It looks
> the packet is dropped before reaching the VTY lines.
>
> Srinivas
> --- "Ouellette, Tim" <tim.ouellette@eds.com> wrote:
> > Can you debug ip packet and see if it's getting
> > denied? Try changing your
> > acl and put the log keyword there.
> >
> > Interesting.
> >
> > Do you have any inbound ACL'S?
> >
> > Tim
> >
> >
> > -----Original Message-----
> > From: SRINIVAS TENNETI
> [mailto:st_552587@yahoo.com]
> > Sent: Sunday, October 13, 2002 3:13 AM
> > To: Ouellette, Tim
> > Cc: 'ccielab@groupstudy.com'
> > Subject: RE: Help on 3550
> >
> >
> > The telnet source is ethernet interface
> 148.4.20.1.
> > I
> > tried with different source loopback0 and I still
> > see
> > the same problem.
> >
> > Srinivas
> >
> >
> > --- "Ouellette, Tim" <tim.ouellette@eds.com>
> wrote:
> > > What is your telnet source? Can you source it
> > with
> > > a different ip?
> > >
> > > Tim
> > >
> > > -----Original Message-----
> > > From: SRINIVAS TENNETI
> > [mailto:st_552587@yahoo.com]
> > > Sent: Sunday, October 13, 2002 12:44 AM
> > > To: ccielab@groupstudy.com
> > > Subject: Help on 3550
> > >
> > >
> > > This is the problem I have.
> > > .2 148.4.20.0 .1
> > >
> > > S7--------------------------------------R2
> > > Cat3550
> > >
> > > They are connected by FE. When I use standard
> > > access-list on Cat3550. It works fine.
> > >
> > > S7#sh access-lists
> > > Standard IP access list 1
> > > permit 148.4.20.1 (2 matches)
> > > Extended IP access list dhcp_glean_acl
> (per-user)
> > > permit udp any eq bootpc host
> 255.255.255.255
> > eq
> > > bootps
> > >
> > > R2#telnet 148.4.20.2
> > > Trying 148.4.20.2 ... Open
> > >
> > > S7>
> > >
> > > If I use extended ACL then there is the problem
> > >
> > > S7#sh ip access-lists
> > > Extended IP access list 100
> > > permit tcp host 148.4.20.1 host 148.4.20.2
> eq
> > > telnet
> > > Extended IP access list dhcp_glean_acl
> (per-user)
> > > permit udp any eq bootpc host
> 255.255.255.255
> > eq
> > > bootps
> > >
> > >
> > > R2#telnet 148.4.20.2
> > > Trying 148.4.20.2 ...
> > > % Connection refused by remote host
> > >
> > > Thanks,
> > >
> > > Srinivas
> > >
> > >
> > >
> __________________________________________________
> > > Do you Yahoo!?
> > > Faith Hill - Exclusive Performances, Videos &
> More
> > > http://faith.yahoo.com
> >
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Faith Hill - Exclusive Performances, Videos & More
> > http://faith.yahoo.com
>
>
> __________________________________________________
> Do you Yahoo!?
> Faith Hill - Exclusive Performances, Videos & More
> http://faith.yahoo.com

This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:45 GMT-3