12-16-2023 02:31 PM - edited 12-16-2023 02:34 PM
Hello folks,
I have a quick question for you that is keep circling my mind. So the task is basic: permit telnet from a subnet and deny everything else. The solution is also simple: "#access-list 101 10 permit tcp any any eq 23 log" & "#access-list 101 20 deny ip any any log". Everything works well so far. The question I have is: why this command works, and the following one does not: "access-list 101 permit 23 24.17.2.0 0.0.0.15 any".
PS: Tested from the same router. First works, second nop.
Solved! Go to Solution.
12-16-2023 02:49 PM
On this command you provide : access-list 101 permit 23 24.17.2.0 0.0.0.15 any
There is no sequence number...
On which equipement you configure these ACL ?
12-16-2023 02:36 PM
Hello @Andrewcpp
The command access-list 101 permit tcp any any eq 23 log is specifying a rule to permit TCP traffic from any source to any destination with a destination port equal to 23 and logging the matches. The subsequent rule access-list 101 deny ip any any log denies any other IP traffic.
On the other hand, the command access-list 101 permit 23 24.17.2.0 0.0.0.15 any seems to have a syntax issue...
12-16-2023 02:41 PM
Well, that is what I initially thought, but doesn't have any syntax issues
For example, the following command, just for explanation: "access-list 199 10 permit 23 any any" is basically creating an access-list number 199, with a squence of 10, permiting traffic with a protocol IP equal to 23 from any source to any destination. This is what I don't understand.
If someone else could explain me, that would pe great.
12-16-2023 02:49 PM
On this command you provide : access-list 101 permit 23 24.17.2.0 0.0.0.15 any
There is no sequence number...
On which equipement you configure these ACL ?
12-16-2023 03:28 PM
protocol IP equal to 23 <- this wrong
The protocols are
IP
TCP
UDP
There is nothing called protocol 23
I suspect that router accept this command.
MHM
03-24-2024 09:12 AM - edited 03-24-2024 09:14 AM
Hello @Andrewcpp ,
you would need a statement that uses TCP as protocol and destination port 23
permit tcp 24.17.2.0 0.0.0.15 any eq 23
TCP is protocol 6 , UDP is 17.
even if protocol 23 exists is not what you need and this why your second ACL does not work
see
https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
protocol 23 is not TCP is:
0x17 | 23 | TRUNK-1 | Trunk-1 |
Hope to help
Giuseppe
03-24-2024 03:46 PM
It would be helpful in you also describe the ACL's interface's "position" relative to conservations, whether it's in or out ACL and where your subnet is located.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide