Telent Query.

Answered Question
Sep 2nd, 2009

Topology:

Router-A----Router-B------Router-C

Am allowing telnet connection to router C loopback from router-A loopback,the telnet is successful by testing command telnet X.X.X.X 23 when i apply a access-group IN on Router-B,

I want to enable port 5555 as a destination on Router-C loopback with any soucrce port,

My config on Router-B is

ip access-list extended test

permit tcp host X.X.X.X host X.X.X.X eq 5555.

Am trying to test the connection from Router-A as:

telnet <router-C loopback> 5555

it says me connection refused,

How can i be confirmed my access-list is working on this port.

Correct Answer by Edison Ortiz about 7 years 5 months ago

I can't speak for ASA behavior. I don't work on that product line.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Edison Ortiz Wed, 09/02/2009 - 15:25

Disable ip route-cache on Router B's interfaces and debug ip detail on Router B.

You can also enable HTTP on Router C and change the default port from 80 to 5555 with the command ip http port 5555 to avoid the connection refused message. As you know, an application needs to have that port opened to accept your request.

HTH,

__

Edison

adamgibs7 Thu, 09/03/2009 - 13:13

Hi ediortiz

i have enabled telnet from A to C,

permit tcp host 10.25.3.8 host 10.28.70.1 eq telnet

But when i try to telnet from C to A it does'nt work,i have to specify another access-list:

permit tcp host 10.25.3.8 eq telnet host 10.28.70.1

I want proper understanding of this can u please

As i know in ASA it is stateful firewall which ever connection goes out it is permited back in regardless that traffic is denied on outside interface of ASA.

I mean to say if a telnet is block on outside interface and if a inside host initiates a telnet to any destination device outside the connection is successful,

Is the behaviour of router access-list is different than ASA access-list.

Edison Ortiz Thu, 09/03/2009 - 16:14

You need to understand the direction on the ACL and also who is providing the service.

With this example:

permit tcp host 10.25.3.8 host 10.28.70.1 eq telnet

10.25.3.8 is the telnet client and 10.28.70.1 is the telnet server.

The ACL direction must be 'in' if traffic is coming from 10.25.3.8.

__

Edison.

adamgibs7 Thu, 09/03/2009 - 16:29

Hi,

U r Correct ediortiz

I have enabled telnet traffic from A to C it works fine from A with an access-list applied on B IN interface,(traffic coming fron A)

2 question:

There is no such outbound access-list on B going towards A,everyone is permited.

when i initiate a telnet connection from C to A i have to add this access-list

permit tcp host 10.25.3.8 eq telnet host 10.28.70.1 on B IN interface.WHY???????

without the above access-list it is

unsuccessful.

Edison Ortiz Thu, 09/03/2009 - 17:48

when i initiate a telnet connection from C to A i have to add this access-list

permit tcp host 10.25.3.8 eq telnet host 10.28.70.1 on B IN interface.WHY???????

Router A is responding the telnet request from Router C and it is acting as a telnet server, hence you need to allow this flow on the 'in' direction on Router B.

You need to remember of the implicit deny all.

__

Edison.

Please rate helpful posts

adamgibs7 Fri, 09/04/2009 - 02:01

Hi Edison,

Is the same behaviour on ASA,???

As i have heared that ASA is stateful it maintains the connection table for packets going outbound,Assume B is ASA and on B ouside interface deny ip any any command is executed,If i initiate telnet connnection from C to A the traffic will permited or denied while returning from A.????

Correct Answer
Edison Ortiz Fri, 09/04/2009 - 06:34

I can't speak for ASA behavior. I don't work on that product line.

Actions

This Discussion