cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
826
Views
10
Helpful
20
Replies

ACL

leungcm
Level 1
Level 1

Hi,

I config the ACL as following:

access-list 165 permit tcp any eq telnet any

however, we cannot telnet. what is missing? thanks

Best regards

20 Replies 20

Add,

access-list 165 permit ip any any

Hope you have a corresponding access-group command applied on the interface.

wochanda
Level 4
Level 4

How is this applied? What you've said above will permit any packets sourced from a device running the telnet service.

If this ACL is applied to an interface carrying packets going TO a telnet device, you need to modify it to say:

access-list 165 permit tcp any any eq telnet

Or, to accommodate both scenarios, try:

access-list 165 permit tcp any eq telnet any

access-list 165 permit tcp any any eq telnet

Hi,

what is the different between them?

access-list 165 permit tcp any eq telnet any

access-list 165 permit tcp any any eq telnet

pls advice.

Best regards

access-list 165 permit tcp any any eq telnet --> Matches traffic heading towards the device you are trying to telnet to (TCP server).

access-list 165 permit tcp any any eq telnet --> Matches return traffic heading towards the host that originated the telnet session (TCP client).

HTH

Sundar

Hi,

Does it mean that:

access-list 165 permit tcp any any eq telnet (outboubd)

access-list 165 permit tcp any any eq telnet (inboubd)

is it correct?

Best regards

That depends on where you are looking from. If you are looking from the client perspective, from where telnet is initiated, then yes your understanding is correct.

HTH

Sundar

Here is a slightly different way to look at it which might be helpful:

access-list 165 permit tcp any eq telnet any

in this one telnet is the source port. so it would match a packet from the device running the telnet service (the device to which you telnet)

access-list 165 permit tcp any any eq telnet

in this one telnet is the destination port. so it would match a packet to the device running the telnet service (the device to which you telnet).

So telnet (TCP port 23) is the destination port on packets from the client to the server and telnet is the source port on packets from the server to the client. If you understand this concept it should become easier to figure out in the access list which interface and which direction is the telnete source and destination.

HTH

Rick

HTH

Rick

Hi,

If we implement the acl on interface

inter fastether 0

ip access-group 165 in

access-list 165 permit tcp any eq telnet any

it will allow the return packet for we are being telnet out.

if we amend the acl as following, 218.x.x.x is our PC:

access-list 165 permit tcp any eq telnet host 218.x.x.x

it will allow the return packet for we are being telnet out from 218.x.x.x to outside (any) telnet server.

access-list 165 permit tcp any host 218.x.x.x eq telnet

it will allow outside someone (any) telnet to inside our network to 218.x.x.x server

-----

if we have telnet server in our network and open for public telnet, we should apply

access-list 165 permit tcp any host 218.x.x.x eq telnet

if we don't have telnet server in our network. We want to telnet outside, we should apply following

access-list 165 permit tcp host 218.x.x.x any eq telnet

this is allow the return packets for we are being telnet out

access-list 165 permit tcp any eq telnet host 218.x.x.x

If we implement the ACL on the interface (ip access-group 165 in), the result is:

access-list 165 permit tcp any host 218.x.x.x eq telnet (hit when someone telnet to our server, it is "in" traffic)

access-list 165 permit tcp host 218.x.x.x eq telnet any (will not hit, it is return packet to outside some one. it means "out" traffic)

access-list 165 permit tcp host 218.x.x.x any eq telnet (will not hit because it is "out" traffic)

access-list 165 permit tcp any eq telnet host 218.x.x.x (hit when we telnet out and it is return packet. it is "in" traffic)

Is it correct?

Best regards

I am afraid it is not correct.

Assuming that the interface where this ACL is applied as "ip access-group 165 in" is the interface where the local LAN is 218.x.x.x then host 218.x.x.x will always be the source address because the "access-group in" is looking at packets from the LAN into the interface. So here is the logic that you suggested with my comments:

access-list 165 permit tcp any host 218.x.x.x eq telnet (hit when someone telnet to our server, it is "in" traffic)

- this line has any as the source and host 218.x.x.x as the destination. This would work if the access-group were "out" but will get no hits when it is "in" since the "in" access group will see the host as the source and not as the destination.

access-list 165 permit tcp host 218.x.x.x eq telnet any (will not hit, it is return packet to outside some one. it means "out" traffic)

- this line would get hits if someone outside had telnetted to the host 218.x.x.x. The host 218.x.x.x will get hit because the host is the source address for an inbound access-group and source port telnet would indicate a telnet response from the local host to the remote initiator.

access-list 165 permit tcp host 218.x.x.x any eq telnet (will not hit because it is "out" traffic)

- this line would get hits if host 218.x.x.x has telnetted to somewhere else because the source address is the host and the destination port is telnet.

access-list 165 permit tcp any eq telnet host 218.x.x.x (hit when we telnet out and it is return packet. it is "in" traffic)

- this line will get no hits because it specifies the source as any but an "in" access-group will see 218.x.x.x as the source.

HTH

Rick

HTH

Rick

Hi,

I understand it. So, we need to change the ACL as following:

inter fasteth 1

description connect to ISP

ip address 198.x.x.x 255.255.255.252

ip access-group 165 in

inter fasteth 0

description connect to DMZ

ip address 218.x.x.x 255.255.255.252

! return packet for we telnet out

access-list 165 permit any eq telnet 218.x.x.16 0.0.0.15

! allow inboubd telnet service

access-list 165 permit any host 218.x.x.90 eq telnet

Is it correct? please advise

Best regards

These 2 lines of the ACL will permit responses from remote hosts to which your hosts have initiated telnet and will permit outside hosts to telnet to the specific host (as your comments indicate).

I do note that there is a mismatch in masks. The access list statement of 218.x.x.16 0.0.0.15 implies a subnet mask on the interface of 255.255.255.240 but the interface config that you show has mask of 255.255.255.252. Is one or the other of these a typo mistake?

Would I be correct in assuming that there are other statements in the access-list 165?

HTH

Rick

HTH

Rick

Hi,

You are right, you are smart enough and attention to detail, :-)

the correct one is

inter fasteth 0

descripttio connect to DMZ

ip address 218.x.x.x 255.255.255.0

Best regards

Thank you for the compliment. Years of doing router and switch configs and reading problem statements have taught me to read carefully for details.

If that is the correct address and mask on the interface then the access list should be:

access-list 165 permit any eq telnet 218.x.x.0 0.0.0.255

HTH

Rick

HTH

Rick

Hi,

we config the commands to production router. The ACL cannot work until we add

access-list 165 permit ip any 218.x.x.x 0.0.0.255

what is the function of this command? pls advise

Best regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: