Solved: Telent Query.

adamgibs7 · ‎09-02-2009

Topology:

Router-A----Router-B------Router-C

Am allowing telnet connection to router C loopback from router-A loopback,the telnet is successful by testing command telnet X.X.X.X 23 when i apply a access-group IN on Router-B,

I want to enable port 5555 as a destination on Router-C loopback with any soucrce port,

My config on Router-B is

ip access-list extended test

permit tcp host X.X.X.X host X.X.X.X eq 5555.

Am trying to test the connection from Router-A as:

telnet <router-C loopback> 5555

it says me connection refused,

How can i be confirmed my access-list is working on this port.

Edison Ortiz · ‎09-04-2009

I can't speak for ASA behavior. I don't work on that product line.

View solution in original post

Edison Ortiz · ‎09-02-2009

Disable ip route-cache on Router B's interfaces and debug ip detail on Router B.

You can also enable HTTP on Router C and change the default port from 80 to 5555 with the command ip http port 5555 to avoid the connection refused message. As you know, an application needs to have that port opened to accept your request.

HTH,

__

Edison

adamgibs7 · ‎09-03-2009

Hi ediortiz

i have enabled telnet from A to C,

permit tcp host 10.25.3.8 host 10.28.70.1 eq telnet

But when i try to telnet from C to A it does'nt work,i have to specify another access-list:

permit tcp host 10.25.3.8 eq telnet host 10.28.70.1

I want proper understanding of this can u please

As i know in ASA it is stateful firewall which ever connection goes out it is permited back in regardless that traffic is denied on outside interface of ASA.

I mean to say if a telnet is block on outside interface and if a inside host initiates a telnet to any destination device outside the connection is successful,

Is the behaviour of router access-list is different than ASA access-list.

Edison Ortiz · ‎09-03-2009

You need to understand the direction on the ACL and also who is providing the service.

With this example:

permit tcp host 10.25.3.8 host 10.28.70.1 eq telnet

10.25.3.8 is the telnet client and 10.28.70.1 is the telnet server.

The ACL direction must be 'in' if traffic is coming from 10.25.3.8.

__

Edison.

adamgibs7 · ‎09-03-2009

Hi,

U r Correct ediortiz

I have enabled telnet traffic from A to C it works fine from A with an access-list applied on B IN interface,(traffic coming fron A)

2 question:

There is no such outbound access-list on B going towards A,everyone is permited.

when i initiate a telnet connection from C to A i have to add this access-list

permit tcp host 10.25.3.8 eq telnet host 10.28.70.1 on B IN interface.WHY???????

without the above access-list it is

unsuccessful.

Edison Ortiz · ‎09-03-2009

when i initiate a telnet connection from C to A i have to add this access-list

permit tcp host 10.25.3.8 eq telnet host 10.28.70.1 on B IN interface.WHY???????

Router A is responding the telnet request from Router C and it is acting as a telnet server, hence you need to allow this flow on the 'in' direction on Router B.

You need to remember of the implicit deny all.

__

Edison.

Please rate helpful posts

adamgibs7 · ‎09-04-2009

Hi Edison,

Is the same behaviour on ASA,???

As i have heared that ASA is stateful it maintains the connection table for packets going outbound,Assume B is ASA and on B ouside interface deny ip any any command is executed,If i initiate telnet connnection from C to A the traffic will permited or denied while returning from A.????

Edison Ortiz · ‎09-04-2009

I can't speak for ASA behavior. I don't work on that product line.