RE: Extended ACL clarification.

From: Snow, Tim (timothy.snow@eds.com)
Date: Tue Jun 17 2003 - 00:32:26 GMT-3

• Next message: Jason Cash: "RE: Extended ACL clarification."
• Previous message: Brian Dennis: "RE: Extended ACL clarification."
• Maybe in reply to: Jason Cash: "Extended ACL clarification."
• Next in thread: Jason Cash: "RE: Extended ACL clarification."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Jason,

the problem with your ACL is that you specified telnet as the source port
and not the destination.

When a host initiates a tcp connection, it'll choose a random port number
above 1024 as the source and the destination as 23. When the far end device
replies back, it'll have a source of 23 (because that was the destination
port of the first initial packet) and the destination port of the host that
initiated the conversation.

Just think what would happen in the world of IP if destination ports weren't
know. Would I connect to a website on port 80 of 5096.

Tim

-----Original Message-----
From: Jason Cash [mailto:cash2001@swbell.net]
Sent: Monday, June 16, 2003 11:08 PM
To: ccielab@groupstudy.com
Subject: Extended ACL clarification.

A certain instructs:

Config R2 such that all telnet traffic sourced from the lo0 of R1 and
destined for the 172.29.80.0 subnet, will go thru R5.

R1 - Lo0 192.168.1.1/32

R2 - S0 172.29.100.2

R5 - S0 172.29.100.5

R1(e1)-----(e0)R2(s0)-----(s0)R5

My question is, is the following incorrect and does it accomplish the same
thing as the solution:

interface Ethernet0

 description to R1 E0 (crossover)

 ip address 172.29.12.2 255.255.255.192

 ip policy route-map local23

!

route-map local23 permit 10

 match ip address 100

 set ip next-hop 172.29.100.5

!

access-list 100 permit tcp host 192.168.1.1 eq telnet 172.29.80.0 0.0.0.31

The solution provided was:

access-list 100 permit tcp host 192.168.1.1 172.29.80.0 0.0.0.31 eq telnet

I guess I want to know the difference between the two. Would My solution
provide the same result. I interpret mine to mean:

allow traffic from host 192.168.1.1 (tcp src. port 23) to goto subnet
172.29.80.0/27

I interpret the solution as:

allow traffic from host 192.168.1.1 to goto subnet 172.29.80.0/27 (tcp dest.
port 23)

What ais the difference? Does telnet not originate from port 23 on
occasion? Is this where the problem would come into play. I get confused
on src/dest. ports so any links to clear the confusion would be appreciated.

• Next message: Jason Cash: "RE: Extended ACL clarification."
• Previous message: Brian Dennis: "RE: Extended ACL clarification."
• Maybe in reply to: Jason Cash: "Extended ACL clarification."
• Next in thread: Jason Cash: "RE: Extended ACL clarification."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:59 GMT-3