allow telnet from host generating random ports

Unanswered Question
Aug 3rd, 2009
User Badges:

hi guys,

I am creating access-list to allow 192.168.40.25 to access 10.0.0.0 network and vice versa on port 21, 22 and 23


I got ACL applied on the router and 192.168.40.25 (host) can access any device on 10.0.0.0 network successfully, but no one from 10.0.0.0 can access 192.168.40.25


I think the problem is the random generating port numbers on on any client machines on 10.0.0.0 network


how can I allow telnet session to be established between any device from 10.0.0.0 network and my host 192.168.40.25?


The following are my ACLs:

--------------------------


access-list 105 permit tcp host 192.168.40.25 10.0.0.0 0.255.255.255 eq telnet


access-list 105 permit tcp host 192.168.40.25 10.0.0.0 0.255.255.255 eq ftp


access-list 105 permit tcp host 192.168.40.25 10.0.0.0 0.255.255.255 eq ftp-data


access-list 105 permit tcp host 192.168.40.25 10.0.0.0 0.255.255.255 eq 22


Thanks alot :)


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
c.captari Mon, 08/03/2009 - 21:41
User Badges:
  • Bronze, 100 points or more

Your ACL is unidirectional. As i see you only allow from 192.168.40.25 to 10.0.0.0/8


you should write in some acl's for the reverse traffic as well. 10.0.0.0/8 to 192.168.40.25

Istvan_Rabai Mon, 08/03/2009 - 22:42
User Badges:
  • Gold, 750 points or more

Hi Aun,


This is your access-list:

access-list 105 permit tcp host 192.168.40.25 10.0.0.0 0.255.255.255 eq telnet

access-list 105 permit tcp host 192.168.40.25 10.0.0.0 0.255.255.255 eq ftp

access-list 105 permit tcp host 192.168.40.25 10.0.0.0 0.255.255.255 eq ftp-data

access-list 105 permit tcp host 192.168.40.25 10.0.0.0 0.255.255.255 eq 22



This is the additional ACL needed to allow telnet access between any device from 10.0.0.0 network and host 192.168.40.25:


access-list 110 permit tcp 10.0.0.0 0.255.255.255 host 192.168.40.25 eq telnet


interface Fa0/0

ip access-group 105 out

ip access-group 110 in


Directions "in" or "out" depend on where your Fa0/0 interface is located in relation to the two traffic types.


Cheers:

Istvan





Actions

This Discussion