Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
631
Views
0
Helpful
6
Replies

ACL problem

ahatef
Level 1
Level 1

‎12-30-2003 04:32 AM - edited ‎02-20-2020 09:23 PM

Hi,

I have an urgent question,

- I'm applying ACL on 8 routers, 2 are 7507 and 6 are 2522. I have used named access-lists and they r working fine with the 7507 routers,

- After applying the named ACL on 2522 routers i found that they r not applied and no matches displayed when i show the access-lists.

- I changed to numbered access-lists and then i get some hits but still running in a problem that i can telnet from the router even though i didn't permit it.

- i put in the first line "deny tcp any any eq 23". I enabled the debugging of this list and i can see that the routers denies the telnet packet but i'm still able to telnet.

- How can i proceed to solve this problem, by the way 2522 routers are running 12.2 IOS.

Thanks

Ahmed

Labels:
0 Helpful
6 Replies 6

mesuti
Level 1
Level 1

‎12-30-2003 05:41 AM

post the running-config of the router, because it's difficult to identify problem without that,

if you want to permit a particular IP, do the following configuration

Router#conf t

Router(config)#access-list 10 permit x.x.x.x

Router(config)#line vty 0 4

Router(line-config)#access-class 10 in

(only x.x.x.x will be permited)

if you want to view any IP trying to connect to the router that does not have permission use the following access-list

access-list 10 permit x.x.x.x

access-list 10 deny any log

if you want to disable telnet, do the following:

Router(line-config)# transport input none

I hope that this will solve your problem,if not post the running-configuration, and you shouldn't deny telnet on interfaces, because it is possible that you apply an access-list on an interface, but you can connect through other interface if you have IP connectivity.

hope it helps

0 Helpful

ahatef
Level 1
Level 1
In response to mesuti

‎12-30-2003 10:04 AM

Thanks for the fast reply, yes the running-conf may help but i need to clarify some information:

- I apply the access-lists as outbound on all the serial interfaces, i assume that no telnet packets should pass throuth the interface.

- It is a requirement from the customer to have the ACL as outbound, i can't change this.

Here is the run-conf. before the ACL applied: -

------------------ show running-config ------------------

Building configuration...

Current configuration:

!

! Last configuration change at 13:20:24 CAT-4 Tue Oct 30 2001 by rt2522_admin

! NVRAM config last updated at 20:11:27 CAT-4 Wed Nov 14 2001 by rt2522_admin

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname rt2522

!

logging buffered 40960 debugging

aaa new-model

aaa authentication login default group tacacs+

aaa authentication ppp default group tacacs+

aaa authorization exec default group tacacs+

aaa authorization network default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

enable secret 5

!

!

!

!

!

clock timezone CAT-4

ip subnet-zero

ip domain-name

ip name-server

ip name-server

!

!

!

process-max-time 200

!

interface Ethernet0

ip address 192.168.13.200 255.255.255.0 secondary

ip address 195.1.1.177 255.255.255.240

no ip directed-broadcast

!

interface Serial0

description

ip address 194.1.1.90 255.255.255.252

no ip directed-broadcast

!

interface Serial1

ip address 194.1.1.94 255.255.255.252

no ip directed-broadcast

!

interface Serial2

description power alarm 1

no ip address

no ip directed-broadcast

no ignore-hw local-loopback

!

interface Serial3

description power alarm 2

no ip address

no ip directed-broadcast

no ignore-hw local-loopback

!

interface Serial4

description

no ip address

no ip directed-broadcast

shutdown

no ignore-hw local-loopback

!

interface Serial5

description

no ip address

no ip directed-broadcast

shutdown

no ignore-hw local-loopback

!

interface Serial6

description

no ip address

no ip directed-broadcast

shutdown

no ignore-hw local-loopback

!

interface Serial7

description

no ip address

no ip directed-broadcast

shutdown

no ignore-hw local-loopback

!

interface Serial8

description

no ip address

no ip directed-broadcast

shutdown

no ignore-hw local-loopback

!

interface Serial9

description

no ip address

no ip directed-broadcast

shutdown

no ignore-hw local-loopback

!

interface BRI0

no ip address

no ip directed-broadcast

shutdown

isdn guard-timer 0 on-expiry accept

!

router ospf 100

network 192.168.13.0 0.0.0.255 area 0.0.0.5

network 194.1.1.88 0.0.0.3 area 0.0.0.5

network 194.1.1.92 0.0.0.3 area 0.0.0.5

network 195.1.1.176 0.0.0.15 area 0.0.0.5

!

no ip classless

no ip http server

!

logging trap debugging

logging

tacacs-server host

tacacs-server key

snmp-server engineID local 0000000902000050547FC1CF

snmp-server community RO

snmp-server community RW

snmp-server community view v1default RO

snmp-server enable traps snmp

snmp-server host tty x25 snmp

privilege exec level 3 enable

!

line con 0

transport input none

line aux 0

line vty 0 4

password

!

ntp clock-period 17180146

ntp server 193.1.1.200 prefer

ntp server 193.1.1.202

end

then i applied the following ACL "note that the first line added after finding that telnet is still go through"

access-list 105 deny tcp any any eq 23

access-list 105 permit icmp any any

access-list 105 permit tcp 195.1.1.128 0.0.0.15 eq telnet host 193.1.1.69

access-list 105 permit tcp 195.1.1.128 0.0.0.15 eq telnet host 193.1.1.71

access-list 105 permit tcp 195.1.1.128 0.0.0.15 eq telnet host 193.1.1.200

access-list 105 permit tcp 195.1.1.128 0.0.0.15 eq telnet host 193.1.1.201

access-list 105 permit tcp 195.1.1.128 0.0.0.15 eq telnet host 193.1.1.202

access-list 105 permit tcp 195.1.1.128 0.0.0.15 eq telnet host 193.1.1.203

access-list 105 permit tcp host 194.1.1.66 eq telnet host 193.1.1.200

access-list 105 permit tcp host 194.1.1.66 eq telnet host 193.1.1.201

access-list 105 permit tcp host 194.1.1.66 eq telnet host 193.1.1.202

access-list 105 permit tcp host 194.1.1.66 eq telnet host 193.1.1.203

access-list 105 permit tcp host 194.1.1.70 eq telnet host 193.1.1.200

access-list 105 permit tcp host 194.1.1.70 eq telnet host 193.1.1.201

access-list 105 permit tcp host 194.1.1.70 eq telnet host 193.1.1.202

access-list 105 permit tcp host 194.1.1.70 eq telnet host 193.1.1.203

then i applied the ACL using the command:

#ip access-group 105 out

the command applied on S0 and S1 only as they are the E1 links "no other way for IP packets except these 2 interfaces".

I hope this helps.

Ahmed

0 Helpful

mesuti
Level 1
Level 1
In response to ahatef

‎12-30-2003 02:33 PM

Ahmed,

Let me explain you what I know about your situation with Cisco 2522s, you deny Telnet traffic from your customers (except some specific IP addresses) through serial interfaces, but when you try to connect from the router itself (the same cisco 2522) the telnet is allowed, if so

(even though that current configuration must have been worked, I mean I didn't notice any thing wrong) try this command

Router(line-config)# transport output none

(beware that this command disables telnet for all outgoing connections from that router)

hope it'll help

0 Helpful

ahatef
Level 1
Level 1
In response to mesuti

‎12-30-2003 03:28 PM

hi mesuti,

Thanks for the reply, i will try this command, but this can work for telnet only, the access-list will include many other protocols and it might not work :( ... If there is no problem in the configurations, what can i expect is it the IOS version or the router model?

Thanks

Ahmed

0 Helpful

baileja
Level 1
Level 1
In response to ahatef

‎02-05-2004 07:52 PM

Ahmed,

Let me offer a couple suggestions. If your customer requires you to have the ACL placed outbound, you can have an outbound and inbound ACL listed on the same interface. My personal approach to this would be restructure the above ACL to be the following and apply it inbound on the ethernet interface that connects to the inside users:

access-list 105 deny tcp any any eq 23

access-list 105 permit icmp any any

access-list 105 permit tcp host 193.1.1.69 195.1.1.128 0.0.0.15 eq telnet

access-list 105 permit tcp host 193.1.1.71 195.1.1.128 0.0.0.15 eq telnet

access-list 105 permit tcp host 193.1.1.200 195.1.1.128 0.0.0.15 eq telnet

access-list 105 permit tcp host 193.1.1.201 195.1.1.128 0.0.0.15 eq telnet

access-list 105 permit tcp host 193.1.1.202 195.1.1.128 0.0.0.15 eq telnet

access-list 105 permit tcp host 193.1.1.203 195.1.1.128 0.0.0.15 eq telnet

access-list 105 permit tcp host 193.1.1.200 host 194.1.1.66 eq telnet

access-list 105 permit tcp host 193.1.1.201 host 194.1.1.66 eq telnet

access-list 105 permit tcp host 193.1.1.202 host 194.1.1.66 eq telnet

access-list 105 permit tcp host 193.1.1.203 host 194.1.1.66 eq telnet

access-list 105 permit tcp host 193.1.1.200 host 194.1.1.70 eq telnet

access-list 105 permit tcp host 193.1.1.201 host 194.1.1.70 eq telnet

access-list 105 permit tcp host 193.1.1.202 host 194.1.1.70 eq telnet

access-list 105 permit tcp host 193.1.1.203 host 194.1.1.70 eq telnet

interface ethernet0

ip access-group 105 in

next create another inbound access-list that will filter traffic from the internet and apply them inbound on the serial interfaces.

The problem with the above ACL is that it will not apply to packets as they enter the router but only as they leave. From a security standpoint, I prefer to have rules apply to traffic in all directions.

0 Helpful

baileja
Level 1
Level 1
In response to baileja

‎02-05-2004 07:54 PM

Sorry, take out the top line of that ACL. Apply your inbound telnet access on the serial interface.

0 Helpful
Customers Also Viewed These Support Documents