So its mean we are using port 1 for telnet connection not 23 .ok I'm agree
on this statement because port 1 (TCP Port Service Multiplexer) is also can
use for telnet connection as define in RFC 1078 correct me if I'm wrong
plz.But I'm still confuse because I block only HTTP port (80).So why its
block port 1.
On Sun, Apr 26, 2009 at 1:20 AM, Bryan Bartik <bbartik_at_ipexpert.com> wrote:
> Hello,
>
> I have seen this issue before and I think it may been brought up on GS too,
> although I couldn't find anything in the archives. This happens when you
> use
> "permit ip any any" in the NAT ACL. If you look at the NAT translations you
> will see that when you telnet to the router from the outside, address
> translation is taking place on the reply, screwing up the tcp connection.
>
> In this case 200.0.0.2 is the outside interface address (the interface with
> "ip nat outside"). I am telnetting from 200.0.0.3 to 200.0.0.2:
>
> R2#sho ip nat translations
> Pro Inside global Inside local Outside local Outside global
> tcp 200.0.0.2:1 200.0.0.2:23 200.0.0.3:41927
> 200.0.0.3:41927
>
> R2 translates the SYN-ACK packet from 200.0.0.2 back to 200.0.0.3 using
> port
> 1, instead of port 23 and the 3-way handshake never completes. 200.0.0.3
> sends an RST because it is not expecting anything on this port. I used the
> packet capture in Dynagen to verify this behavior.
>
> If you narrow down your ACL so only the inside hosts are specified, then
> you
> don't have this issue.
>
>
> Bryan Bartik
> CCIE #23707, CCNP
> Sr. Support Engineer - IPexpert, Inc.
> URL: http://www.IPexpert.com
>
>
> On Sat, Apr 25, 2009 at 1:23 PM, Pavel Bykov <slidersv_at_gmail.com> wrote:
>
> > looks like a bug.
> > Are you telnetting to the Dialer interface?
> >
> > On Wed, Apr 22, 2009 at 4:17 PM, marish shah <contactmarish_at_gmail.com
> > >wrote:
> >
> > > Hi All,
> > > Scenario.
> > > DSL Router 857 connecting to ISP with dialer interface and connecting
> > with
> > > LOCAL AREA NETWORK with vlan 1.
> > >
> > > Requirement,
> > >
> > > Customer want to stop browsing for some computer from 192.168.2.128 to
> > > 192.168.2.191 and allow any other traffic.
> > >
> > > Remaining IP s are allowed all traffic.So I put this configuration on
> > > customer router.
> > >
> > > *access-list 102 deny tcp 192.168.2.128 0.0.0.63 any eq www *
> > >
> > > *access-list 102 permit ip any any*
> > >
> > > *ip nat inside source list 102 interface Dialer1 overload
> > > *
> > >
> > > * interface Vlan1
> > > ip address 192.168.2.1 255.255.255.0
> > > ip nat inside
> > >
> > > !
> > > interface Dialer1
> > > ip address negotiated
> > > ip nat outside*
> > >
> > > After this every thing is work fine there was no browsing for few
> user's
> > as
> > > customer want and they can access every thing else (FTP,TELNET,etc)
> > >
> > > And all other customer can use every thing include browsing .
> > >
> > > But here problem come from outside I cannot telnet customer router but
> I
> > > can
> > > ping if u see my config I didn't block port 23 for inside not for
> outside
> > > and my access-list is only effect inside traffic but from outside I
> can't
> > > able to telnet and strange from inside I can telnet.
> > >
> > > So Q is why my telnet from outside is block ?
> > >
> > > I solve this problem I just remove
> > >
> > > *no access-list 102 deny tcp 192.168.2.128 0.0.0.63 any eq www *
> > >
> > > *no access-list 102 permit ip any any*
> > >
> > > *n replace with
> > > *
> > >
> > > *access-list 102 deny tcp 192.168.2.128 0.0.0.63 any eq www*
> > >
> > > *access-list 102 permit ip 192.168.2.0 0.0.0.255 any*
> > >
> > > *and telnet from outside is also working so why its block and after
> > > removing
> > > Permit any any its work.*
> > >
> > >
> > > **
> > >
> > > *Thanks.
> > > *
> > >
> > > *
> > > *
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> > --
> > Pavel Bykov
> > ----------------
> > Don't forget to help stopping the braindumps, use of which reduces value
> of
> > your certifications. Sign the petition at http://www.stopbraindumps.com/
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Apr 26 2009 - 09:05:18 ART
This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:13 ART