Access-list

Unanswered Question
Mar 25th, 2007
User Badges:

hi expert,


With attach diagram, if i want to permit the access-list to initiate a ssh session from PC to 192.168.1.2. which access list is right ?


1)access-list 101 permit tcp any eq 22 host 192.168.1.2

2)access-list 101 permit tcp any 192.168.1.2 eq 22



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rebecca.richards Sun, 03/25/2007 - 22:55
User Badges:

You're close with access-list # 2 above, but it needs to be:


access-list 101 permit tcp any host 192.168.1.2 eq 22


- bec

acbenny Sun, 03/25/2007 - 23:14
User Badges:

ic, how about the #1 access-list ?


it is just any host can make session with destination port which is tcp port 22 to host 192.168.1.2 ----is it also right ?




rebecca.richards Sun, 03/25/2007 - 23:33
User Badges:

With SSH, the client binds to a "random" TCP high port, which you cannot predict. So your ACL #1 above would not match at all, as you're specifying that the clients are bound to 22/tcp


It is the _server_ that is bound to 22/tcp, which is what you match on, thus #2.

acbenny Sun, 03/25/2007 - 23:44
User Badges:

then does this pattern is correct ?


Access-list 101 permit tcp/udp [source ip address][source ip address 's destination port][destination ip address][destination ip 's destination port]


Actions

This Discussion