From: Enrico Asproni (easproni@cisco.com)
Date: Mon Nov 10 2003 - 16:48:13 GMT-3
George,
For question 1:
At first look this makes sense. If you perform a normal telnet to
a device, you will use tcp port 23 but when the remote side answers,
it will not use port 23 but just another random port number (ex port
11935). You acl out on the switch will allow packets out matching
the desired port number to reach the remote device, and when the
remote device answers, since the acl is outbound, it will not block
anything coming back to the source. However, when you try to initiate
the telnet from the remote side (in your case 192.168.100.170) the
packets will make it to 1.1.1.2 but the reply from 1.1.1.2 (using a
random port) will for sure not make it back to 192.168.100.170 because
of the acl permitting only one tcp port ...
Hope this makes sense,
Enrico
George He wrote:
>
> Hi group,
>
> I have two questions on ACL and debug ip packet. Please see topology
> bellow.
>
> Question:
>
> 1. With access-l 101 like bellow
>
> access-list 101 permit tcp 1.1.1.0 0.0.0.255 192.168.100.0 0.0.0.255 eq
> 135
> access-list 101 permit tcp 192.168.100.0 0.0.0.255 1.1.1.0 0.0.0.255 eq
> 135
>
> I can telnet 1.1.1.2 135 from 192.168.100.170, but I can not telnet
> 192.168.100.170 135 from 1.1.1.2. Why? I think I should be able to
> telnet both side successfully.
>
> After I added
>
> access-list 101 permit tcp 192.168.100.0 0.0.0.255 1.1.1.0 0.0.0.255
> established
>
> It's ok. Why?
>
> 2. When I enter "debug ip packet 101", and tried to telnet to 1.1.1.2
> from 192.168.100.170. I can not see any packet on the console of the
> router. But "debug ip packet" works fine. As you know I disabled ip
> route-cache on interface vlan1 and vlan2 still can not see any packets.
>
> any comments many thanks.
>
> Topology and configuration:
>
> Host1(192.168.100.170/24)------(Vlan1 192.168.100.16/24) Switch (VLAN2
> 1.1.1.1/24)---------Host2(1.1.1.2/24)
>
> Switch#sh run
> Building configuration...
>
> Current configuration : 3106 bytes
> !
> version 12.1
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname Switch
> !
> enable secret 5 $1$9TmA$IBABpTPxa4675WV1AdIP6.
> !
> ip subnet-zero
> ip routing
> !
> !
> spanning-tree mode pvst
> no spanning-tree optimize bpdu transmission
> spanning-tree extend system-id
> !
> !
> !
> interface GigabitEthernet1/0/1
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/2
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/3
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/4
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/5
> switchport access vlan 2
> switchport mode access
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/6
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/7
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/8
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/9
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/10
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/11
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/12
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/13
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/14
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/15
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/16
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/17
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/18
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/19
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/20
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/21
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/22
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/23
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/24
> no ip address
> mdix auto
> spanning-tree portfast
> !
> interface GigabitEthernet1/0/25
> no ip address
> !
> interface GigabitEthernet1/0/26
> no ip address
> !
> interface GigabitEthernet1/0/27
> no ip address
> !
> interface GigabitEthernet1/0/28
> no ip address
> !
> interface Vlan1
> ip address 192.168.100.16 255.255.255.0
> no ip route-cache
> no ip mroute-cache
> !
> interface Vlan2
> ip address 1.1.1.1 255.255.255.0
> ip access-group 101 out
> no ip route-cache
> no ip mroute-cache
> !
> ip classless
> ip http server
> !
> access-list 101 permit tcp 1.1.1.0 0.0.0.255 192.168.100.0 0.0.0.255 eq
> 135
> access-list 101 permit tcp 192.168.100.0 0.0.0.255 1.1.1.0 0.0.0.255 eq
> 135
> !
> line con 0
> logging synchronous
> line vty 0 4
> logging synchronous
> no login
> line vty 5 15
> logging synchronous
> no login
> !
> end
>
> Switch#
>
> Regards
>
> George
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:10 GMT-3