Access-list

Answered Question
May 10th, 2010
User Badges:

I have 2 access-lists:


Extended IP access list 100

    10 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq 22
    20 permit tcp 172.16.16.0 0.0.0.15 eq telnet host 172.16.48.63


Extended IP access list 101
    10 permit tcp host 172.16.48.63 eq 22 172.16.16.0 0.0.0.15
    20 permit tcp host 172.16.48.63 172.16.16.0 0.0.0.15 eq telnet


applied to router LAN interfaces below:


int fa0/0
ip access-group 100 in
int fa0/1
ip access-group 101 in


can someone explain why hosts in network 172.16.16.0 are able to SSH but not telnet to host 172.16.48.63?

Also, does it make a different with eq [port #] at the end and in the middle of the statement?


Thanks

Pei Wai

Correct Answer by Jon Marshall about 7 years 2 weeks ago

leepeiwai wrote:


jon.marshall wrote:


access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23  means allows any host in the 172.16.16.1 -> 14 range to connect to port 23 (telnet) on 172.16.18.43. So you are telnetting to 172.16.18.43


access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43  means allow any host in the 172.16.16.1 -> 14 range to send traffic from port 23 (telnet) to 172.16.18.43. So you are telnetting from 172.16.16.1 -> 14 to host 172.16.18.43.



Thanks Jon for your quick reply.

I am sorry i do not see the difference between having eq 23 at the end and middle of permit statement. They both allow host to telnet to 172.16.18.43?


PeiWai


No they don't.


access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq 23


means host 1.1.1.1 can telnet to 2.2.2.2. So the telnet server is running on host 2.2.2.2.


src IP 1.1.1.1

src port - random port

destination IP 2.2.2.2

destination port 23 (telnet)


access-list 101 permit tcp host 1.1.1.1 eq telnet host 2.2.2.2


means host 1.1.1.1 is running the telnet server and you are allowing host 1.1.1.1 to send packets from it's telnet server back to host 2.2.2.2


src IP 1.1.1.1

src port  23 (telnet)

destination IP 2.2.2.2

destination port - random port


Jon

Correct Answer by Federico Coto F... about 7 years 2 weeks ago

Hi,


access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23 
access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43


On the first line the destination port is 23 and on the second line the source port is 23.
So, yes both lines are permitting port 23 but are completely different since one is referring to the source
port of the connection and the other one as the destination port.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Mon, 05/10/2010 - 22:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

leepeiwai wrote:


I have 2 access-lists:


Extended IP access list 100

    10 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq 22
    20 permit tcp 172.16.16.0 0.0.0.15 eq telnet host 172.16.48.63


Extended IP access list 101
    10 permit tcp host 172.16.48.63 eq 22 172.16.16.0 0.0.0.15
    20 permit tcp host 172.16.48.63 172.16.16.0 0.0.0.15 eq telnet


applied to router LAN interfaces below:


int fa0/0
ip access-group 100 in
int fa0/1
ip access-group 101 in


can someone explain why hosts in network 172.16.16.0 are able to SSH but not telnet to host 172.16.48.63?

Also, does it make a different with eq [port #] at the end and in the middle of the statement?


Thanks

Pei Wai


Pei


Yes it does make a difference ie.


access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23  means allows any host in the 172.16.16.1 -> 14 range to connect to port 23 (telnet) on 172.16.18.43. So you are telnetting to 172.16.18.43


access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43  means allow any host in the 172.16.16.1 -> 14 range to send traffic from port 23 (telnet) to 172.16.18.43. So you are telnetting from 172.16.16.1 -> 14 to host 172.16.18.43.


So make your acls match ie. assuming 172.16.16.x hosts come in on fa0/0 and host 172.16.18.43 is reachable via the fa0/1 interface -


Extended IP access list 100

    10 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq 22
    20 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq telnet


Extended IP access list 101
    10 permit tcp host 172.16.48.63 eq 22 172.16.16.0 0.0.0.15
    20 permit tcp host 172.16.48.63 eq telnet 172.16.16.0 0.0.0.15


Jon

leepeiwai Mon, 05/10/2010 - 22:39
User Badges:

jon.marshall wrote:


access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23  means allows any host in the 172.16.16.1 -> 14 range to connect to port 23 (telnet) on 172.16.18.43. So you are telnetting to 172.16.18.43


access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43  means allow any host in the 172.16.16.1 -> 14 range to send traffic from port 23 (telnet) to 172.16.18.43. So you are telnetting from 172.16.16.1 -> 14 to host 172.16.18.43.



Thanks Jon for your quick reply.

I am sorry i do not see the difference between having eq 23 at the end and middle of permit statement. They both allow host to telnet to 172.16.18.43?


PeiWai

Correct Answer
Federico Coto F... Mon, 05/10/2010 - 22:43
User Badges:
  • Green, 3000 points or more

Hi,


access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23 
access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43


On the first line the destination port is 23 and on the second line the source port is 23.
So, yes both lines are permitting port 23 but are completely different since one is referring to the source
port of the connection and the other one as the destination port.


Federico.

Correct Answer
Jon Marshall Mon, 05/10/2010 - 22:44
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

leepeiwai wrote:


jon.marshall wrote:


access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23  means allows any host in the 172.16.16.1 -> 14 range to connect to port 23 (telnet) on 172.16.18.43. So you are telnetting to 172.16.18.43


access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43  means allow any host in the 172.16.16.1 -> 14 range to send traffic from port 23 (telnet) to 172.16.18.43. So you are telnetting from 172.16.16.1 -> 14 to host 172.16.18.43.



Thanks Jon for your quick reply.

I am sorry i do not see the difference between having eq 23 at the end and middle of permit statement. They both allow host to telnet to 172.16.18.43?


PeiWai


No they don't.


access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq 23


means host 1.1.1.1 can telnet to 2.2.2.2. So the telnet server is running on host 2.2.2.2.


src IP 1.1.1.1

src port - random port

destination IP 2.2.2.2

destination port 23 (telnet)


access-list 101 permit tcp host 1.1.1.1 eq telnet host 2.2.2.2


means host 1.1.1.1 is running the telnet server and you are allowing host 1.1.1.1 to send packets from it's telnet server back to host 2.2.2.2


src IP 1.1.1.1

src port  23 (telnet)

destination IP 2.2.2.2

destination port - random port


Jon

Actions

This Discussion

Related Content