From: ccie2be (ccie2be@nyc.rr.com)
Date: Sun May 29 2005 - 17:25:58 GMT-3
Cool. thanks.
-----Original Message-----
From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
Sent: Sunday, May 29, 2005 3:44 PM
To: ccie2be; Chad Hintz; ccie lab
Subject: RE: Clarification on time range acl
Tim,
You can telnet to ports other than 23 to test out applications
(WWW, SMTP, POP3, NNTP, etc). When you telnet to these ports you are
basically just opening a TCP connection to them. See below:
Rack1R3(config)#ip http server
Rack1R3(config)#^Z
Rack1R3#
Rack1AS>1
[Resuming connection 1 to r1 ... ]
Rack1R1#
Rack1R1#telnet 156.1.136.3 80
Trying 156.1.136.3, 80 ... Open
GET /
WWW-Authenticate: Basic realm="level_15_access"
401 Unauthorized
[Connection to 156.1.136.3 closed by foreign host]
Rack1R1#
[root@CoachZ root]# telnet www.yahoo.com 80
Trying 66.94.230.46...
Connected to www.yahoo.com.
Escape character is '^]'.
GET /
<html><head>
<script language=javascript>
var now=new
Date,t1=0,t2=0,t3=0,t4=0,t5=0,t6=0,hp=0,cc='',ylp='';t1=now.getTime();
</script>
<title>Yahoo!</title>
<****SNIP***>
</body>
</html>
Connection closed by foreign host.
[root@CoachZ root]#
[root@CoachZ root]# telnet mail.finesthost.com 25
Trying 63.170.71.3...
Connected to mail.finesthost.com.
Escape character is '^]'.
220 X1 NT-ESMTP Server mail.finesthost.com (IMail 6.06 239668-12)
HELO
250 hello mail.finesthost.com
QUIT
221 Goodbye
Connection closed by foreign host.
[root@CoachZ root]#
[root@CoachZ root]# telnet mail.finesthost.com 110
Trying 63.170.71.3...
Connected to mail.finesthost.com.
Escape character is '^]'.
+OK X1 NT-POP3 Server mail.finesthost.com (IMail 6.06 480787-5)
USER bdennis
+OK send your password
QUIT
+OK POP3 Server saying Good-Bye
Connection closed by foreign host.
[root@CoachZ root]#
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Sunday, May 29, 2005 12:00 PM
To: 'Chad Hintz'; 'ccie lab'
Subject: RE: Clarification on time range acl
Chad,
The way I read your config's, when the time range is active, incoming
www
traffic is allowed. And, only ICMP traffic is allowed at all times.
I think the problem is your testing is NOT legit.
I believe but I'm not 100% sure, when you telnet to port 80, you're
still
telneting but now using a non-standard dest port.
If you haven't changed the standard telnet port on the dest device to
80,
the dest will be very confused and won't know what to do.
I can think of a couple things you can do to better this config:
1. Enable http on the dest device and then use a browser to connect to
it.
2. Change the telnet port the dest device listens to to 80.
3. Instead of applying your time range to www, apply it to telnet
traffic.
If that works as expected, then change it back to www.
HTH, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Chad
Hintz
Sent: Sunday, May 29, 2005 2:31 PM
To: Chad Hintz; ccie lab
Subject: Re: Clarification on time range acl
Sorry let me revise this, I am permitting www traffic during those hrs
but
after applied still can not connect. Here are my configs
R1
interface FastEthernet0/0
ip address 170.89.18.1 255.255.255.0
ip access-group 103 out
speed 100
full-duplex
end
access-list 103 permit tcp any any eq www time-range http
access-list 103 permit icmp any any
time-range http
periodic weekdays 8:00 to 18:00
R1#sh clock
13:29:19.126 EDT Mon May 30 2005
BB1's fa0/0
ip address 170.89.18.254 255.255.255.0
also ip telnet source-interface fa0/0
R2
int fa0/0
ip address 189.18.23.2 255.255.255.0
when applied in active state I cannot telnet on port 80 from bb1:
FRSW-BB2-BB1#telnet 189.18.23.2 80
Trying 189.18.23.2, 80 ...
% Connection timed out; remote host not responding
But I can ping with the additonal line in the acl
FRSW-BB2-BB1#ping 189.18.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 189.18.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Chad
Chad Hintz <ccie_2b2004@yahoo.com> wrote:
Hi all,
My lab setup for this scenrio is
bb1-ethernet-r1-frame-r2-e0/0(189.18.23.2).
If I want to not allow http traffic outbound of r1 during the weekdays
between 8am and 6pm.(from cisco's example on the doccd)
1.)I created a time-range no-http for 08:00 to 18:00
2.) created an acl-access-list 103 deny tcp any any eq www time-range
no-http
3.) applied it outbound on r1's fa0/0- ip access-group 103 out
I see that it is active when I look at the sh ip access-list output and
I
can not telnet on port 80(sourced from the correct interface on bb1),
when I
change the clock in r1 to be a weekend day the state changes to inactive
but
I still cannot telnet on port 80.
So my question is do I have to have a permit for each deny after the
time
range acl?
I put a permit tcp any any eq www and when the time-range acl is
inactive I
still cannot telnet on port 80 to 189.18.23.2 from bb1. Only when I
unapply
the acl am I allowed to telnet on port 80.
I guess I am confused about the whole concept, I thought that with it
being
inactive I should be able to use http and any other protocol and during
active I would not be able to use http or any other protocol unless I
permitted it lower in the acl.
Thanks in advance,
Chad
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:03 GMT-3