Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
265
Views
0
Helpful
2
Replies

basic help with access-lists

rsys
Level 1
Level 1

‎12-15-2002 09:38 AM - edited ‎03-09-2019 01:24 AM

Hello,

My router has a serial interface and an ethernet interface. The serial interface connects me to my ISP and the ethernet interface to my local LAN.

I only have an access-list (IN) on my serial interface. In it, all incoming access is allowed from another network (a second office), and general access (from the internet) is allowed only to certain machines in my LAN. Anyway, all is working fine.

My problem is, I can telnet to this ethernet interface from my second office. But I cannot telnet to this interface from anywhere else in the internet. And there is no access-list on vty 0 4. So why is it not allowing me telnet access from the internet?.

My logical conclusion is, since I have an access-list on the serial interface (the interface which connects the network to the internet) which allows full access (telnet etc) only from the 2nd office, it is not allowing me to telnet to the ethernet interface from the internet. The telnet request to the ethernet interface first arrives at the serial interface where it will get rejected. Is this what is really happening?.

If this is the case, what is the purpose of a separate access-list for the ethernet interface? (when the serial int access-list applies here as well)

I thank you in advance for your kind replies.

Labels:
0 Helpful
2 Replies 2

raymong
Level 4
Level 4

‎12-16-2002 12:06 PM

From what you have described, it sounds like you are able to telnet from your second office because you are allowing incoming access from that network. For example:

10.x.x.x---e0.routerA.s0 ---z--- router -- 20.x.x.x (second office)

|

\----- internet

On routerA, if you had an acl that permitted all traffic from 20.x.x.x, you would be able to telnet to the ethernet interface from the 20 network. Unless you are specifically permitting users on the internet to telnet into your ethernet interface, this traffic should get dropped (which it sounds like it is). You will need to add a line that says something like:

access-list 199 permit tcp eq 23

The telnet request to your ethernet interface would arrive at the serial interface first, and at that point the inbound acl would be checked. For this scenario, you would not need to apply another acl on the ethernet interface to accomplish what you're trying to do.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni

‎12-28-2002 01:01 PM

A good tip is to log access list violations. For example, on the bottom of your access-lists, add something like:

access-list xxx deny ip any any log-input

Then when something doesn't work, go have a look in the log (show log). Then you will know if it was an access list or something else causing the problem.

0 Helpful
Customers Also Viewed These Support Documents