Re: Access-list problem

No, it doesn't mean that. It just means that is what port number the router
is using for Port Address Translation. It just happened to be port 1 during
my test. The router is translating every packet outbound from that
interface, which is what happens when you use "permit ip any any" in your
ACL. This is not the behavior you want if you need to communicate withe the
router itself, so narrow your ACL to only the inside hosts.

On Sun, Apr 26, 2009 at 12:05 AM, marish shah <contactmarish_at_gmail.com>wrote:

> So its mean we are using port 1 for telnet connection not 23 .ok I'm agree
> on this statement because port 1 (TCP Port Service Multiplexer) is also can
> use for telnet connection as define in RFC 1078 correct me if I'm wrong
> plz.But I'm still confuse because I block only HTTP port (80).So why its
> block port 1.
> On Sun, Apr 26, 2009 at 1:20 AM, Bryan Bartik <bbartik_at_ipexpert.com>wrote:
>
>> Hello,
>>
>> I have seen this issue before and I think it may been brought up on GS
>> too,
>> although I couldn't find anything in the archives. This happens when you
>> use
>> "permit ip any any" in the NAT ACL. If you look at the NAT translations
>> you
>> will see that when you telnet to the router from the outside, address
>> translation is taking place on the reply, screwing up the tcp connection.
>>
>> In this case 200.0.0.2 is the outside interface address (the interface
>> with
>> "ip nat outside"). I am telnetting from 200.0.0.3 to 200.0.0.2:
>>
>> R2#sho ip nat translations
>> Pro Inside global Inside local Outside local Outside
>> global
>> tcp 200.0.0.2:1 200.0.0.2:23 200.0.0.3:41927
>> 200.0.0.3:41927
>>
>> R2 translates the SYN-ACK packet from 200.0.0.2 back to 200.0.0.3 using
>> port
>> 1, instead of port 23 and the 3-way handshake never completes. 200.0.0.3
>> sends an RST because it is not expecting anything on this port. I used the
>> packet capture in Dynagen to verify this behavior.
>>
>> If you narrow down your ACL so only the inside hosts are specified, then
>> you
>> don't have this issue.
>>
>>
>> Bryan Bartik
>> CCIE #23707, CCNP
>> Sr. Support Engineer - IPexpert, Inc.
>> URL: http://www.IPexpert.com
>>
>>
>> On Sat, Apr 25, 2009 at 1:23 PM, Pavel Bykov <slidersv_at_gmail.com> wrote:
>>
>> > looks like a bug.
>> > Are you telnetting to the Dialer interface?
>> >
>> > On Wed, Apr 22, 2009 at 4:17 PM, marish shah <contactmarish_at_gmail.com
>> > >wrote:
>> >
>> > > Hi All,
>> > > Scenario.
>> > > DSL Router 857 connecting to ISP with dialer interface and connecting
>> > with
>> > > LOCAL AREA NETWORK with vlan 1.
>> > >
>> > > Requirement,
>> > >
>> > > Customer want to stop browsing for some computer from 192.168.2.128 to
>> > > 192.168.2.191 and allow any other traffic.
>> > >
>> > > Remaining IP s are allowed all traffic.So I put this configuration on
>> > > customer router.
>> > >
>> > > *access-list 102 deny tcp 192.168.2.128 0.0.0.63 any eq www *
>> > >
>> > > *access-list 102 permit ip any any*
>> > >
>> > > *ip nat inside source list 102 interface Dialer1 overload
>> > > *
>> > >
>> > > * interface Vlan1
>> > > ip address 192.168.2.1 255.255.255.0
>> > > ip nat inside
>> > >
>> > > !
>> > > interface Dialer1
>> > > ip address negotiated
>> > > ip nat outside*
>> > >
>> > > After this every thing is work fine there was no browsing for few
>> user's
>> > as
>> > > customer want and they can access every thing else (FTP,TELNET,etc)
>> > >
>> > > And all other customer can use every thing include browsing .
>> > >
>> > > But here problem come from outside I cannot telnet customer router but
>> I
>> > > can
>> > > ping if u see my config I didn't block port 23 for inside not for
>> outside
>> > > and my access-list is only effect inside traffic but from outside I
>> can't
>> > > able to telnet and strange from inside I can telnet.
>> > >
>> > > So Q is why my telnet from outside is block ?
>> > >
>> > > I solve this problem I just remove
>> > >
>> > > *no access-list 102 deny tcp 192.168.2.128 0.0.0.63 any eq www *
>> > >
>> > > *no access-list 102 permit ip any any*
>> > >
>> > > *n replace with
>> > > *
>> > >
>> > > *access-list 102 deny tcp 192.168.2.128 0.0.0.63 any eq www*
>> > >
>> > > *access-list 102 permit ip 192.168.2.0 0.0.0.255 any*
>> > >
>> > > *and telnet from outside is also working so why its block and after
>> > > removing
>> > > Permit any any its work.*
>> > >
>> > >
>> > > **
>> > >
>> > > *Thanks.
>> > > *
>> > >
>> > > *
>> > > *
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> > --
>> > Pavel Bykov
>> > ----------------
>> > Don't forget to help stopping the braindumps, use of which reduces value
>> of
>> > your certifications. Sign the petition at
>> http://www.stopbraindumps.com/
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>> --
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>

-- 
Bryan Bartik
CCIE #23707, CCNP
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
Blogs and organic groups at http://www.ccie.net