From: ccie2be (ccie2be@nyc.rr.com)
Date: Sun Mar 02 2003 - 11:50:34 GMT-3
Hi,
The way I understand it, the 1st "any" refers to the source ip address. If
you don't specify a source port, then all ports are permitted. The 2nd
"any" refers to the destination ip address and likewise if you don't specify
a port, all destination ports are permitted.
So, in the 1st a/c statement, the router will permit packets that come from
any host and that are going to any host as long as the packet is going to
the telnet service.
In the 2nd a/c statement, the router will look at both the source ip address
and source port. Since you say "any" source ip address and "any"
destination ip address but you also say the source port must eq telnet, any
packet that's coming from the telnet process on any host that's going to any
host will be permitted.
In the 3rd statement, the established keyword means that only response
telnet packets are permitted. In other words, the router will look at the
1st packet of a tcp session and then look inside that packet at the source
port. If the source port equals telnet, the packet will be allowed. The
router won't care what the source or destination ip address is because of
the any any. You need to keep in mind that the router knows when a packet
is the initial packet of a tcp session because of the flags that tcp sets
when it starts a session. As a practical matter this makes sense when the
objective is to allow hosts inside your network to initiate telnet sessions
to any host but deny hosts outside your network from initiating a telnet
session to any hosts inside your network. To make this work properly, you
need to make sure you're applying the a/c list to the appropriate interface.
For example, say your router has only an ethernet and serial interface where
the ethernet interface is the inside of your network and the serial
interface is the outside network. In this case, you would apply the a/c
list to the serial interface in the inward direction. When a packet comes
into the serial interface from the cable connected to the serial interface,
the router examines the packet. If the packet is going to the telnet
process AND the tcp flags indicate that this is a response tcp, the packet
is permitted, otherwise the packet is dropped. Since the router in this
case only has 2 interfaces, you could achieve the same results by applying
the filter to the ethernet interface in the outward direction.
To see how this works, consider what happens when a host on the outside
attempts to start a telnet session. When the packet arrives at the serial
interface the router only looks the destination ip address because there's
no filter applied to the serial interface. After the router determines the
packet is destined to a host on the ethernet segment, it routes the packet
to the ethernet interface. Since there's a filter on the ethernet interface
in the outward direction, the router will first examine the packet. When
the router sees the tcp flags, it will see that this packet is the first
packet of a telnet seesion and will drop the packet.
Regarding the 2nd group of a/c list statements, the same logic applies.
However, by themselves these a/c list statements don't make much sense
because there's an implicit deny statement at the end of every a/c list.
So, if you used either of these statements alone, you would in essense block
all user traffic.
HOpe this helps. Jim
----- Original Message -----
From: "Fan Shan" <fansh@publicf.bta.net.cn>
To: <ccielab@groupstudy.com>
Sent: Sunday, March 02, 2003 6:34 AM
Subject: The difference between these access-lists
> Can someone explain the detail about the differnce of these access-lists:
>
> access-list 100 permit tcp any any eq telnet
>
> access-list 100 permit tcp any eq telnet any
>
> access-list 100 permit tcp any any telnet established
>
> And if BGP is permitted, does I need to configure both
>
> access-list 100 permit tcp any any eq bgp
> and
> acccess-list 100 permit tcp any eq bgp any
>
> or only one of them?
>
> Thx
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:30 GMT-3