Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
0
Helpful
7
Replies

ACCESS LIST

Go to solution
jsheriony
Level 1
Level 1

‎11-17-2008 04:17 AM - edited ‎03-04-2019 12:21 AM

Hi. can you please check the access list below?

Cannot telnet to 10.1.1.1 from outside.

What is wrong with the access list below and what should I change on it??

Sorry..I'm a beginner.

appreciate your help.thanks

permit tcp any any established

permit icmp any any

permit icmp any host 10.1.1.1 echo

permit icmp any host 10.1.1.1 echo-reply

permit icmp any host 10.1.1.1 time-exceeded

permit udp any host 10.1.1.1 range 33434 33524

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jsheriony

‎11-17-2008 04:46 AM

Jayson

permit tcp any any established

this is used to allow traffic for already initiated connections to return through the router so

H1 - (fa0/0) R1 (fa0/1) S1

H1 = is a client host

S1 = a server the clients wants to connect to

R1 is a router

you have an acl 101 with "permit tcp any any established" in it and this acl is applied inbound on R1's fa0/1 interface ie.

int fa0/1

ip access-group 101 in

If H1 telnets to S1 the initial packet gets to S1 via R1. The acl has no effect at this time because the traffic is outbound on fa0/1 towards S1.

When S1 responds the "permit tcp any any established" line allows the return traffic back in.

But if S1 started the telnet conversation to H1 the router would deny the packet because the connection was not started by H1.

It is important to note that using the eastablished keyword means the router is only really checking for a TCP flag in the packet header and as such it is very easy to fool and should in no way be viewed as a firewall function. I don't want to overload you with TCP flags/stateful connections but if you need more info let me know.

The permit icmp lines in order

1) allow any address to send a ping request to 10.1.1.1

2) allow any address to send a ping response to 10.1.1.1

3) all any host to send a "time-exceeded" response to 10.1.1.1

Jon

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-17-2008 04:20 AM

Jayson

Could you provide a bit more detail

1) where is the access-list applied (on which interface ) and in which direction.

So when you say you cannot telnet from outside to 10.1.1.1 is 10.1.1.1 on the inside ?

If so and this acl is applied on the outside interface in an inbound direction then you will not be able to. You would need a line like

permit tcp any host 10.1.1.1 eq 23

Jon

0 Helpful

Go to solution
jsheriony
Level 1
Level 1
In response to Jon Marshall

‎11-17-2008 04:33 AM

hi Jon,

10.1.1.1 is the interface inside.

cannot go inside from the outside...

will "permit tcp any host 10.1.1.1 eq 23"

be enough???

ANd if not so much trouble,can you please tell

me the lines below are for?

I thought the first line could be enough to

permit telnet...

permit tcp any any established

permit icmp any host 10.1.1.1 echo

permit icmp any host 10.1.1.1 echo-reply

permit icmp any host 10.1.1.1 time-exceeded

Thanks a lot for the attention

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jsheriony

‎11-17-2008 04:46 AM

Jayson

permit tcp any any established

this is used to allow traffic for already initiated connections to return through the router so

H1 - (fa0/0) R1 (fa0/1) S1

H1 = is a client host

S1 = a server the clients wants to connect to

R1 is a router

you have an acl 101 with "permit tcp any any established" in it and this acl is applied inbound on R1's fa0/1 interface ie.

int fa0/1

ip access-group 101 in

If H1 telnets to S1 the initial packet gets to S1 via R1. The acl has no effect at this time because the traffic is outbound on fa0/1 towards S1.

When S1 responds the "permit tcp any any established" line allows the return traffic back in.

But if S1 started the telnet conversation to H1 the router would deny the packet because the connection was not started by H1.

It is important to note that using the eastablished keyword means the router is only really checking for a TCP flag in the packet header and as such it is very easy to fool and should in no way be viewed as a firewall function. I don't want to overload you with TCP flags/stateful connections but if you need more info let me know.

The permit icmp lines in order

1) allow any address to send a ping request to 10.1.1.1

2) allow any address to send a ping response to 10.1.1.1

3) all any host to send a "time-exceeded" response to 10.1.1.1

Jon

0 Helpful

Go to solution
jsheriony
Level 1
Level 1
In response to Jon Marshall

‎11-17-2008 04:50 AM

Jon,

very very helpful.

thanks a lot...

now i understand very well

Jayson

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jsheriony

‎11-17-2008 04:56 AM

Jayson

No problem, glad to have helped and thanks for the rating.

Jon

0 Helpful

Go to solution
jsheriony
Level 1
Level 1
In response to jsheriony

‎11-17-2008 04:58 AM

Jon,

by the way, the line below whouls resolve the

whole issue, right???

Thanks again

permit tcp any host 10.1.1.1 eq 23

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jsheriony

‎11-17-2008 05:00 AM

Yes it would providing the acl is applied inbound on the outside interface.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card