Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

ACL

Hi,

I config the ACL as following:

access-list 165 permit tcp any eq telnet any

however, we cannot telnet. what is missing? thanks

Best regards

20 REPLIES

Re: ACL

Add,

access-list 165 permit ip any any

Hope you have a corresponding access-group command applied on the interface.

Silver

Re: ACL

How is this applied? What you've said above will permit any packets sourced from a device running the telnet service.

If this ACL is applied to an interface carrying packets going TO a telnet device, you need to modify it to say:

access-list 165 permit tcp any any eq telnet

Or, to accommodate both scenarios, try:

access-list 165 permit tcp any eq telnet any

access-list 165 permit tcp any any eq telnet

New Member

Re: ACL

Hi,

what is the different between them?

access-list 165 permit tcp any eq telnet any

access-list 165 permit tcp any any eq telnet

pls advice.

Best regards

Re: ACL

access-list 165 permit tcp any any eq telnet --> Matches traffic heading towards the device you are trying to telnet to (TCP server).

access-list 165 permit tcp any any eq telnet --> Matches return traffic heading towards the host that originated the telnet session (TCP client).

HTH

Sundar

New Member

Re: ACL

Hi,

Does it mean that:

access-list 165 permit tcp any any eq telnet (outboubd)

access-list 165 permit tcp any any eq telnet (inboubd)

is it correct?

Best regards

Re: ACL

That depends on where you are looking from. If you are looking from the client perspective, from where telnet is initiated, then yes your understanding is correct.

HTH

Sundar

Hall of Fame Super Gold

Re: ACL

Here is a slightly different way to look at it which might be helpful:

access-list 165 permit tcp any eq telnet any

in this one telnet is the source port. so it would match a packet from the device running the telnet service (the device to which you telnet)

access-list 165 permit tcp any any eq telnet

in this one telnet is the destination port. so it would match a packet to the device running the telnet service (the device to which you telnet).

So telnet (TCP port 23) is the destination port on packets from the client to the server and telnet is the source port on packets from the server to the client. If you understand this concept it should become easier to figure out in the access list which interface and which direction is the telnete source and destination.

HTH

Rick

New Member

Re: ACL

Hi,

If we implement the acl on interface

inter fastether 0

ip access-group 165 in

access-list 165 permit tcp any eq telnet any

it will allow the return packet for we are being telnet out.

if we amend the acl as following, 218.x.x.x is our PC:

access-list 165 permit tcp any eq telnet host 218.x.x.x

it will allow the return packet for we are being telnet out from 218.x.x.x to outside (any) telnet server.

access-list 165 permit tcp any host 218.x.x.x eq telnet

it will allow outside someone (any) telnet to inside our network to 218.x.x.x server

-----

if we have telnet server in our network and open for public telnet, we should apply

access-list 165 permit tcp any host 218.x.x.x eq telnet

if we don't have telnet server in our network. We want to telnet outside, we should apply following

access-list 165 permit tcp host 218.x.x.x any eq telnet

this is allow the return packets for we are being telnet out

access-list 165 permit tcp any eq telnet host 218.x.x.x

If we implement the ACL on the interface (ip access-group 165 in), the result is:

access-list 165 permit tcp any host 218.x.x.x eq telnet (hit when someone telnet to our server, it is "in" traffic)

access-list 165 permit tcp host 218.x.x.x eq telnet any (will not hit, it is return packet to outside some one. it means "out" traffic)

access-list 165 permit tcp host 218.x.x.x any eq telnet (will not hit because it is "out" traffic)

access-list 165 permit tcp any eq telnet host 218.x.x.x (hit when we telnet out and it is return packet. it is "in" traffic)

Is it correct?

Best regards

Hall of Fame Super Gold

Re: ACL

I am afraid it is not correct.

Assuming that the interface where this ACL is applied as "ip access-group 165 in" is the interface where the local LAN is 218.x.x.x then host 218.x.x.x will always be the source address because the "access-group in" is looking at packets from the LAN into the interface. So here is the logic that you suggested with my comments:

access-list 165 permit tcp any host 218.x.x.x eq telnet (hit when someone telnet to our server, it is "in" traffic)

- this line has any as the source and host 218.x.x.x as the destination. This would work if the access-group were "out" but will get no hits when it is "in" since the "in" access group will see the host as the source and not as the destination.

access-list 165 permit tcp host 218.x.x.x eq telnet any (will not hit, it is return packet to outside some one. it means "out" traffic)

- this line would get hits if someone outside had telnetted to the host 218.x.x.x. The host 218.x.x.x will get hit because the host is the source address for an inbound access-group and source port telnet would indicate a telnet response from the local host to the remote initiator.

access-list 165 permit tcp host 218.x.x.x any eq telnet (will not hit because it is "out" traffic)

- this line would get hits if host 218.x.x.x has telnetted to somewhere else because the source address is the host and the destination port is telnet.

access-list 165 permit tcp any eq telnet host 218.x.x.x (hit when we telnet out and it is return packet. it is "in" traffic)

- this line will get no hits because it specifies the source as any but an "in" access-group will see 218.x.x.x as the source.

HTH

Rick

New Member

Re: ACL

Hi,

I understand it. So, we need to change the ACL as following:

inter fasteth 1

description connect to ISP

ip address 198.x.x.x 255.255.255.252

ip access-group 165 in

inter fasteth 0

description connect to DMZ

ip address 218.x.x.x 255.255.255.252

! return packet for we telnet out

access-list 165 permit any eq telnet 218.x.x.16 0.0.0.15

! allow inboubd telnet service

access-list 165 permit any host 218.x.x.90 eq telnet

Is it correct? please advise

Best regards

Hall of Fame Super Gold

Re: ACL

These 2 lines of the ACL will permit responses from remote hosts to which your hosts have initiated telnet and will permit outside hosts to telnet to the specific host (as your comments indicate).

I do note that there is a mismatch in masks. The access list statement of 218.x.x.16 0.0.0.15 implies a subnet mask on the interface of 255.255.255.240 but the interface config that you show has mask of 255.255.255.252. Is one or the other of these a typo mistake?

Would I be correct in assuming that there are other statements in the access-list 165?

HTH

Rick

New Member

Re: ACL

Hi,

You are right, you are smart enough and attention to detail, :-)

the correct one is

inter fasteth 0

descripttio connect to DMZ

ip address 218.x.x.x 255.255.255.0

Best regards

Hall of Fame Super Gold

Re: ACL

Thank you for the compliment. Years of doing router and switch configs and reading problem statements have taught me to read carefully for details.

If that is the correct address and mask on the interface then the access list should be:

access-list 165 permit any eq telnet 218.x.x.0 0.0.0.255

HTH

Rick

New Member

Re: ACL

Hi,

we config the commands to production router. The ACL cannot work until we add

access-list 165 permit ip any 218.x.x.x 0.0.0.255

what is the function of this command? pls advise

Best regards

Hall of Fame Super Gold

Re: ACL

This line permits any IP traffic from any source to any of the addresses in the 218.x.x network. The lines we have previously been discussing will permit telnet traffic but not anything else. You need something like this other line to permit other traffic. The fact that the lines would permit only telnet and the need for additional permit was what I was asking about in a previous post when I asked:

Would I be correct in assuming that there are other statements in the access-list 165?

If we had followed up this question we would have gotten to the need for a more general permit statement.

HTH

Rick

Hall of Fame Super Gold

Re: ACL

I also note that the 2 lines that we have been discussing:

! return packet for we telnet out

access-list 165 permit any eq telnet 218.x.x.16 0.0.0.15

! allow inboubd telnet service

access-list 165 permit any host 218.x.x.90 eq telnet

are more specific references but are actually redundant when the third line is put into the access list. If you removed those 2 lines from the access list and left only permit ip any 218.x.x.x 0.0.0.255 then everything would work just the same.

HTH

Rick

Hall of Fame Super Gold

Re: ACL

I am still not clear whether there are any other statements in the access list. If there is not any statement that denies anything and you are going to permit all IP traffic from any source to any address in network 218.x.x then why is there any access list here at all since that would be the behavior with no access list?

I find that it is helpful before configuring an access list to form a clear statement of the expected behavior - what is to be permitted and what is to be denied. I find that this is very helpful in determining what statements to configure and in what order the statements should come. If we had formed such a statement (at least based on what we know so far) the statement would have been that the expected behavior is to permit traffic from any source to any address in 218.x.x. And in fact that behavior would be achieved with no access list at all.

If that is not really the expected behavior then you need to share some additional information about the environment and what the expected behavior is.

HTH

Rick

New Member

Re: ACL

yes, there are a lot of statments in this ACL. could I have your email addres so that we can send all to you for referenece

If the ACL is

access-list 165 permit any eq telnet 218.x.x.16 0.0.0.15

access-list 165 permit any host 218.x.x.90 eq telnet

access-list 165 permit ip any 218.x.x.16 0.0.0.15

access-list 165 permit ip any 218.x.x.90

does it allow telnet service only? another services (e.g. ssh, smtp..) will be denied by the ACL the last statment "deny any any". Is it right?

Actyually, we would like to allow telnet services only. other services to one particular server will be denied.

To make is simple, if we only allow the telnet in, it has one statement is following

access-list 165 permit any host 218.x.x.90 eq telnet

it is NOT necessary to put

access-list 165 permit ip any 218.x.x.90

is it right?

If so, we need to double check the ACL again. Anyway, thanks for your guidance.

Best regards

Hall of Fame Super Gold

Re: ACL

If you wish to send something through email to me, my email address is in my NetPro profile. Please note the comment in my profile that if you email something to me the subject line should indicate that is is related to NetPro. Otherwise my spam filter may not allow it through.

I am not sure that I understand well what you are asking in this post. if you have this line:

access-list 165 permit ip any 218.x.x.16 0.0.0.15

then it will permit any IP traffic to that range of destination addresses. This would include services such as ssh, smtp, etc. If you want to deny certain services you either need to have deny statements in the ACL for those services. Or you need to not have the general permit ip any .

I am also a bit confused about using 218.x.x.16 0.0.0.15 which you do in a couple of lines. This implies a subnet with 16 addresses. In other posts you have indicated that it really is a /24 and should be masked that way. Or if the 0.0.0.15 mask is what you really want then the address 218.x.x.90 is outside the address range.

Perhaps you can clarify this a bit?

HTH

Rick

New Member

Re: ACL

Hi,

I send you email with ful ACL. Thanks

Best regards

134
Views
10
Helpful
20
Replies
CreatePlease to create content