Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4446
Views
0
Helpful
6
Replies

Access-list

Go to solution
leepeiwai
Level 1
Level 1

‎05-10-2010 10:15 PM - edited ‎03-06-2019 11:01 AM

I have 2 access-lists:

Extended IP access list 100

    10 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq 22
    20 permit tcp 172.16.16.0 0.0.0.15 eq telnet host 172.16.48.63

Extended IP access list 101
    10 permit tcp host 172.16.48.63 eq 22 172.16.16.0 0.0.0.15
    20 permit tcp host 172.16.48.63 172.16.16.0 0.0.0.15 eq telnet

applied to router LAN interfaces below:

int fa0/0
ip access-group 100 in
int fa0/1
ip access-group 101 in

can someone explain why hosts in network 172.16.16.0 are able to SSH but not telnet to host 172.16.48.63?

Also, does it make a different with eq [port #] at the end and in the middle of the statement?

Thanks

Pei Wai

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to leepeiwai

‎05-10-2010 10:43 PM

Hi,

access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23 
access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43

On the first line the destination port is 23 and on the second line the source port is 23.
So, yes both lines are permitting port 23 but are completely different since one is referring to the source
port of the connection and the other one as the destination port.

Federico.

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to leepeiwai

‎05-10-2010 10:44 PM 

leepeiwai wrote:
jon.marshall wrote:
access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23  means allows any host in the 172.16.16.1 -> 14 range to connect to port 23 (telnet) on 172.16.18.43. So you are telnetting to 172.16.18.43
access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43  means allow any host in the 172.16.16.1 -> 14 range to send traffic from port 23 (telnet) to 172.16.18.43. So you are telnetting from 172.16.16.1 -> 14 to host 172.16.18.43.
Thanks Jon for your quick reply.
I am sorry i do not see the difference between having eq 23 at the end and middle of permit statement. They both allow host to telnet to 172.16.18.43?
PeiWai

No they don't.

access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq 23

means host 1.1.1.1 can telnet to 2.2.2.2. So the telnet server is running on host 2.2.2.2.

src IP 1.1.1.1

src port - random port

destination IP 2.2.2.2

destination port 23 (telnet)

access-list 101 permit tcp host 1.1.1.1 eq telnet host 2.2.2.2

means host 1.1.1.1 is running the telnet server and you are allowing host 1.1.1.1 to send packets from it's telnet server back to host 2.2.2.2

src IP 1.1.1.1

src port  23 (telnet)

destination IP 2.2.2.2

destination port - random port

Jon

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-10-2010 10:23 PM 

leepeiwai wrote:
I have 2 access-lists:
Extended IP access list 100
    10 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq 22
    20 permit tcp 172.16.16.0 0.0.0.15 eq telnet host 172.16.48.63
Extended IP access list 101
    10 permit tcp host 172.16.48.63 eq 22 172.16.16.0 0.0.0.15
    20 permit tcp host 172.16.48.63 172.16.16.0 0.0.0.15 eq telnet
applied to router LAN interfaces below:
int fa0/0
ip access-group 100 in
int fa0/1
ip access-group 101 in
can someone explain why hosts in network 172.16.16.0 are able to SSH but not telnet to host 172.16.48.63?
Also, does it make a different with eq [port #] at the end and in the middle of the statement?
Thanks
Pei Wai

Pei

Yes it does make a difference ie.

access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23  means allows any host in the 172.16.16.1 -> 14 range to connect to port 23 (telnet) on 172.16.18.43. So you are telnetting to 172.16.18.43

access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43  means allow any host in the 172.16.16.1 -> 14 range to send traffic from port 23 (telnet) to 172.16.18.43. So you are telnetting from 172.16.16.1 -> 14 to host 172.16.18.43.

So make your acls match ie. assuming 172.16.16.x hosts come in on fa0/0 and host 172.16.18.43 is reachable via the fa0/1 interface -

Extended IP access list 100

    10 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq 22
    20 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq telnet

Extended IP access list 101
    10 permit tcp host 172.16.48.63 eq 22 172.16.16.0 0.0.0.15
    20 permit tcp host 172.16.48.63 eq telnet 172.16.16.0 0.0.0.15

Jon

0 Helpful

Go to solution
leepeiwai
Level 1
Level 1
In response to Jon Marshall

‎05-10-2010 10:39 PM 

jon.marshall wrote:
access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23  means allows any host in the 172.16.16.1 -> 14 range to connect to port 23 (telnet) on 172.16.18.43. So you are telnetting to 172.16.18.43
access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43  means allow any host in the 172.16.16.1 -> 14 range to send traffic from port 23 (telnet) to 172.16.18.43. So you are telnetting from 172.16.16.1 -> 14 to host 172.16.18.43.

Thanks Jon for your quick reply.

I am sorry i do not see the difference between having eq 23 at the end and middle of permit statement. They both allow host to telnet to 172.16.18.43?

PeiWai

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to leepeiwai

‎05-10-2010 10:43 PM

Hi,

access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23 
access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43

On the first line the destination port is 23 and on the second line the source port is 23.
So, yes both lines are permitting port 23 but are completely different since one is referring to the source
port of the connection and the other one as the destination port.

Federico.

0 Helpful

Go to solution
leepeiwai
Level 1
Level 1
In response to Federico Coto Fajardo

‎05-10-2010 10:52 PM

Thanks Federico

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to leepeiwai

‎05-10-2010 10:44 PM 

leepeiwai wrote:
jon.marshall wrote:
access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23  means allows any host in the 172.16.16.1 -> 14 range to connect to port 23 (telnet) on 172.16.18.43. So you are telnetting to 172.16.18.43
access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43  means allow any host in the 172.16.16.1 -> 14 range to send traffic from port 23 (telnet) to 172.16.18.43. So you are telnetting from 172.16.16.1 -> 14 to host 172.16.18.43.
Thanks Jon for your quick reply.
I am sorry i do not see the difference between having eq 23 at the end and middle of permit statement. They both allow host to telnet to 172.16.18.43?
PeiWai

No they don't.

access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq 23

means host 1.1.1.1 can telnet to 2.2.2.2. So the telnet server is running on host 2.2.2.2.

src IP 1.1.1.1

src port - random port

destination IP 2.2.2.2

destination port 23 (telnet)

access-list 101 permit tcp host 1.1.1.1 eq telnet host 2.2.2.2

means host 1.1.1.1 is running the telnet server and you are allowing host 1.1.1.1 to send packets from it's telnet server back to host 2.2.2.2

src IP 1.1.1.1

src port  23 (telnet)

destination IP 2.2.2.2

destination port - random port

Jon

0 Helpful

Go to solution
leepeiwai
Level 1
Level 1
In response to Jon Marshall

‎05-10-2010 10:51 PM

Got it, thanks Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card