ACCESS LIST

Answered Question
Nov 17th, 2008
User Badges:

Hi. can you please check the access list below?

Cannot telnet to 10.1.1.1 from outside.

What is wrong with the access list below and what should I change on it??


Sorry..I'm a beginner.


appreciate your help.thanks



permit tcp any any established

permit icmp any any

permit icmp any host 10.1.1.1 echo

permit icmp any host 10.1.1.1 echo-reply

permit icmp any host 10.1.1.1 time-exceeded

permit udp any host 10.1.1.1 range 33434 33524

Correct Answer by Jon Marshall about 8 years 4 months ago

Jayson


permit tcp any any established


this is used to allow traffic for already initiated connections to return through the router so


H1 - (fa0/0) R1 (fa0/1) S1


H1 = is a client host

S1 = a server the clients wants to connect to

R1 is a router


you have an acl 101 with "permit tcp any any established" in it and this acl is applied inbound on R1's fa0/1 interface ie.


int fa0/1

ip access-group 101 in


If H1 telnets to S1 the initial packet gets to S1 via R1. The acl has no effect at this time because the traffic is outbound on fa0/1 towards S1.


When S1 responds the "permit tcp any any established" line allows the return traffic back in.


But if S1 started the telnet conversation to H1 the router would deny the packet because the connection was not started by H1.


It is important to note that using the eastablished keyword means the router is only really checking for a TCP flag in the packet header and as such it is very easy to fool and should in no way be viewed as a firewall function. I don't want to overload you with TCP flags/stateful connections but if you need more info let me know.


The permit icmp lines in order


1) allow any address to send a ping request to 10.1.1.1

2) allow any address to send a ping response to 10.1.1.1

3) all any host to send a "time-exceeded" response to 10.1.1.1


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 11/17/2008 - 04:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jayson


Could you provide a bit more detail


1) where is the access-list applied (on which interface ) and in which direction.


So when you say you cannot telnet from outside to 10.1.1.1 is 10.1.1.1 on the inside ?


If so and this acl is applied on the outside interface in an inbound direction then you will not be able to. You would need a line like


permit tcp any host 10.1.1.1 eq 23


Jon

jsheriony Mon, 11/17/2008 - 04:33
User Badges:

hi Jon,



10.1.1.1 is the interface inside.

cannot go inside from the outside...

will "permit tcp any host 10.1.1.1 eq 23"

be enough???


ANd if not so much trouble,can you please tell

me the lines below are for?

I thought the first line could be enough to

permit telnet...


permit tcp any any established

permit icmp any host 10.1.1.1 echo

permit icmp any host 10.1.1.1 echo-reply

permit icmp any host 10.1.1.1 time-exceeded



Thanks a lot for the attention

Correct Answer
Jon Marshall Mon, 11/17/2008 - 04:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jayson


permit tcp any any established


this is used to allow traffic for already initiated connections to return through the router so


H1 - (fa0/0) R1 (fa0/1) S1


H1 = is a client host

S1 = a server the clients wants to connect to

R1 is a router


you have an acl 101 with "permit tcp any any established" in it and this acl is applied inbound on R1's fa0/1 interface ie.


int fa0/1

ip access-group 101 in


If H1 telnets to S1 the initial packet gets to S1 via R1. The acl has no effect at this time because the traffic is outbound on fa0/1 towards S1.


When S1 responds the "permit tcp any any established" line allows the return traffic back in.


But if S1 started the telnet conversation to H1 the router would deny the packet because the connection was not started by H1.


It is important to note that using the eastablished keyword means the router is only really checking for a TCP flag in the packet header and as such it is very easy to fool and should in no way be viewed as a firewall function. I don't want to overload you with TCP flags/stateful connections but if you need more info let me know.


The permit icmp lines in order


1) allow any address to send a ping request to 10.1.1.1

2) allow any address to send a ping response to 10.1.1.1

3) all any host to send a "time-exceeded" response to 10.1.1.1


Jon

jsheriony Mon, 11/17/2008 - 04:50
User Badges:

Jon,



very very helpful.

thanks a lot...

now i understand very well


Jayson

Jon Marshall Mon, 11/17/2008 - 04:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jayson


No problem, glad to have helped and thanks for the rating.


Jon

jsheriony Mon, 11/17/2008 - 04:58
User Badges:

Jon,


by the way, the line below whouls resolve the

whole issue, right???

Thanks again


permit tcp any host 10.1.1.1 eq 23

Jon Marshall Mon, 11/17/2008 - 05:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Yes it would providing the acl is applied inbound on the outside interface.


Jon

Actions

This Discussion