Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
0
Helpful
6
Replies

Access List Question

Go to solution
Andrewcpp
Level 1
Level 1

‎12-16-2023 02:31 PM - edited ‎12-16-2023 02:34 PM

Hello folks,

I have a quick question for you that is keep circling my mind. So the task is basic: permit telnet from a subnet and deny everything else. The solution is also simple: "#access-list 101 10 permit tcp any any eq 23 log" & "#access-list 101 20 deny ip any any log". Everything works well so far. The question I have is: why this command works, and the following one does not: "access-list 101 permit 23 24.17.2.0 0.0.0.15 any".

 

PS: Tested from the same router. First works, second nop.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP
In response to Andrewcpp

‎12-16-2023 02:49 PM

@Andrewcpp 

On this command you provide : access-list 101 permit 23 24.17.2.0 0.0.0.15 any

There is no sequence number...

On which equipement you configure these ACL ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
M02@rt37
VIP
VIP

‎12-16-2023 02:36 PM

Hello @Andrewcpp 

The command access-list 101 permit tcp any any eq 23 log is specifying a rule to permit TCP traffic from any source to any destination with a destination port equal to 23 and logging the matches. The subsequent rule access-list 101 deny ip any any log denies any other IP traffic.

On the other hand, the command access-list 101 permit 23 24.17.2.0 0.0.0.15 any seems to have a syntax issue...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
Andrewcpp
Level 1
Level 1

‎12-16-2023 02:41 PM

Well, that is what I initially thought, but doesn't have any syntax issues

For example, the following command, just for explanation: "access-list 199 10 permit 23 any any" is basically creating an access-list number 199, with a squence of 10, permiting traffic with a protocol IP equal to 23 from any source to any destination. This is what I don't understand.

If someone else could explain me, that would pe great.

 

 

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to Andrewcpp

‎12-16-2023 02:49 PM

@Andrewcpp 

On this command you provide : access-list 101 permit 23 24.17.2.0 0.0.0.15 any

There is no sequence number...

On which equipement you configure these ACL ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Andrewcpp

‎12-16-2023 03:28 PM

protocol IP equal to 23 <- this wrong 

The protocols are 

IP

TCP

UDP

There is nothing called protocol 23

I suspect that router accept this command.

MHM

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Andrewcpp

‎03-24-2024 09:12 AM - edited ‎03-24-2024 09:14 AM

Hello @Andrewcpp ,

you would need  a statement that uses TCP as protocol and destination port 23

permit tcp  24.17.2.0 0.0.0.15 any eq 23

TCP is protocol 6 , UDP is 17.

even if protocol 23  exists is not what you need and this why your second ACL does not work

see

https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

protocol 23 is not TCP is:

0x17 23 TRUNK-1 Trunk-1

Hope to help

Giuseppe

 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-24-2024 03:46 PM

It would be helpful in you also describe the ACL's interface's "position" relative to conservations, whether it's in or out ACL and where your subnet is located.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card