topic Access list direction control in Network Security https://community.cisco.com/t5/network-security/access-list-direction-control/m-p/1027770#M937954 <P>Hi,</P><P>We have two unix servers</P><P>Servers A : 10.10.10.2/ 24</P><P>Servers B : 192.168.1.2 /24 </P><P>connected to routers Fa0/0 and Fa 0/1 interfaces respectively.</P><P>We have configured following access list</P><P>access-list 101 deny 10.10.10.2 0.0.0.0 192.168.1.2 0.0.0.0 eq telnet</P><P>permit any any</P><P>and applied as </P><P>#inf fa0/0</P><P>( config-if)#ip access-group 101 in</P><P>This will deny telnet access initiated from 10.10.10.2 to server 192.168.1.2 as source , destinatio and target port numbers are matching. </P><P>What will happen if reverse telnet connection is initiated , that is telnet is initiated by 192.168.1.2 to 10.10.10.2 ?</P><P>Will it be denied by our access list ?</P><P>As packet returning back to 192.168.1.2 will match the ip address but I think target port will be diferent and not 23 ) so connection shoud be established.</P><P>Please share.</P><P>Thanks in advance.</P><P>Subodh</P><P></P> Mon, 11 Mar 2019 12:43:13 GMT bapatsubodh 2019-03-11T12:43:13Z Access list direction control https://community.cisco.com/t5/network-security/access-list-direction-control/m-p/1027770#M937954 <P>Hi,</P><P>We have two unix servers</P><P>Servers A : 10.10.10.2/ 24</P><P>Servers B : 192.168.1.2 /24 </P><P>connected to routers Fa0/0 and Fa 0/1 interfaces respectively.</P><P>We have configured following access list</P><P>access-list 101 deny 10.10.10.2 0.0.0.0 192.168.1.2 0.0.0.0 eq telnet</P><P>permit any any</P><P>and applied as </P><P>#inf fa0/0</P><P>( config-if)#ip access-group 101 in</P><P>This will deny telnet access initiated from 10.10.10.2 to server 192.168.1.2 as source , destinatio and target port numbers are matching. </P><P>What will happen if reverse telnet connection is initiated , that is telnet is initiated by 192.168.1.2 to 10.10.10.2 ?</P><P>Will it be denied by our access list ?</P><P>As packet returning back to 192.168.1.2 will match the ip address but I think target port will be diferent and not 23 ) so connection shoud be established.</P><P>Please share.</P><P>Thanks in advance.</P><P>Subodh</P><P></P> Mon, 11 Mar 2019 12:43:13 GMT https://community.cisco.com/t5/network-security/access-list-direction-control/m-p/1027770#M937954 bapatsubodh 2019-03-11T12:43:13Z Re: Access list direction control https://community.cisco.com/t5/network-security/access-list-direction-control/m-p/1027771#M937958 <HTML><HEAD></HEAD><BODY><P>Subodh</P><P></P><P>I think your access-list should read </P><P></P><P>access-list 101 deny tcp 10.10.10.2 0.0.0.0 192.168.1.2 0.0.0.0 eq telnet (note the "tcp" keyword).</P><P></P><P>Anyway you are correct in what you say. The target port on the return traffic to 192.168.1.2 would not be 23 but a port number above 1024. So your access-list 101 would not block the traffic.</P><P></P><P>Jon</P></BODY></HTML> Mon, 12 May 2008 05:29:25 GMT https://community.cisco.com/t5/network-security/access-list-direction-control/m-p/1027771#M937958 Jon Marshall 2008-05-12T05:29:25Z