From: Tony Schaffran (groupstudy@cconlinelabs.com)
Date: Tue Oct 26 2004 - 21:08:23 GMT-3
The ACL you state should work. It will allow not only telent to 3023, but to
port 23, the default telnet port as well.
The ACL here;
access-list 100 permit tcp any any eq 3023
access-list 100 deny tcp any any eq telnet
will allow only port 3023 and not allow any other telnet port. Of course
the second line is purely cosmetic because of the implicit deny.
Now, you say you have tried just the first line by itself and it did not
work. Could you specify what you have tried again? Did you setup reverse
telnet to port 3023 or change the default telnet port to 3023 for your test?
Tony Schaffran
Network Analyst
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
www.cconlinelabs.com
Your #1 choice for online Cisco rack rentals.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Tuesday, October 26, 2004 4:27 AM
To: Group Study
Subject: ACL for telneting to a specific port
Hi guys,
I want to create an acl which allows only telnets to port 3023.
In the example I just saw yesterday this required to lines as follows:
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any any eq 3023
I tried this out and it works. But, if I use either entry by itself, it
doesn't work. It also doesn't work if the entries are in the reverse order
ie
the eq 3023 entry comes before the eq telnet entry.
This example seems to break the rules of acl processing which I thought I
knew
- each entry is evaluated from top to bottom INDEPENDENTLY. If an entry
permits the packet, stop processing the acl. If an entry denies the packet,
stop processing. If a packet doesn't match an entry, go to the next entry
and
repeat.
Is the above acl an exception to the logic of acl processing as I understand
it or am I missing something?
Thanks, Tim
This archive was generated by hypermail 2.1.4 : Sat Nov 06 2004 - 17:11:53 GMT-3