08-09-2007 09:55 AM - edited 03-03-2019 06:15 PM
Hi,
I config the ACL as following:
access-list 165 permit tcp any eq telnet any
however, we cannot telnet. what is missing? thanks
Best regards
08-11-2007 11:14 AM
This line permits any IP traffic from any source to any of the addresses in the 218.x.x network. The lines we have previously been discussing will permit telnet traffic but not anything else. You need something like this other line to permit other traffic. The fact that the lines would permit only telnet and the need for additional permit was what I was asking about in a previous post when I asked:
Would I be correct in assuming that there are other statements in the access-list 165?
If we had followed up this question we would have gotten to the need for a more general permit statement.
HTH
Rick
08-11-2007 11:23 AM
I also note that the 2 lines that we have been discussing:
! return packet for we telnet out
access-list 165 permit any eq telnet 218.x.x.16 0.0.0.15
! allow inboubd telnet service
access-list 165 permit any host 218.x.x.90 eq telnet
are more specific references but are actually redundant when the third line is put into the access list. If you removed those 2 lines from the access list and left only permit ip any 218.x.x.x 0.0.0.255 then everything would work just the same.
HTH
Rick
08-11-2007 11:35 AM
I am still not clear whether there are any other statements in the access list. If there is not any statement that denies anything and you are going to permit all IP traffic from any source to any address in network 218.x.x then why is there any access list here at all since that would be the behavior with no access list?
I find that it is helpful before configuring an access list to form a clear statement of the expected behavior - what is to be permitted and what is to be denied. I find that this is very helpful in determining what statements to configure and in what order the statements should come. If we had formed such a statement (at least based on what we know so far) the statement would have been that the expected behavior is to permit traffic from any source to any address in 218.x.x. And in fact that behavior would be achieved with no access list at all.
If that is not really the expected behavior then you need to share some additional information about the environment and what the expected behavior is.
HTH
Rick
08-12-2007 08:17 AM
yes, there are a lot of statments in this ACL. could I have your email addres so that we can send all to you for referenece
If the ACL is
access-list 165 permit any eq telnet 218.x.x.16 0.0.0.15
access-list 165 permit any host 218.x.x.90 eq telnet
access-list 165 permit ip any 218.x.x.16 0.0.0.15
access-list 165 permit ip any 218.x.x.90
does it allow telnet service only? another services (e.g. ssh, smtp..) will be denied by the ACL the last statment "deny any any". Is it right?
Actyually, we would like to allow telnet services only. other services to one particular server will be denied.
To make is simple, if we only allow the telnet in, it has one statement is following
access-list 165 permit any host 218.x.x.90 eq telnet
it is NOT necessary to put
access-list 165 permit ip any 218.x.x.90
is it right?
If so, we need to double check the ACL again. Anyway, thanks for your guidance.
Best regards
08-12-2007 02:51 PM
If you wish to send something through email to me, my email address is in my NetPro profile. Please note the comment in my profile that if you email something to me the subject line should indicate that is is related to NetPro. Otherwise my spam filter may not allow it through.
I am not sure that I understand well what you are asking in this post. if you have this line:
access-list 165 permit ip any 218.x.x.16 0.0.0.15
then it will permit any IP traffic to that range of destination addresses. This would include services such as ssh, smtp, etc. If you want to deny certain services you either need to have deny statements in the ACL for those services. Or you need to not have the general permit ip any
I am also a bit confused about using 218.x.x.16 0.0.0.15 which you do in a couple of lines. This implies a subnet with 16 addresses. In other posts you have indicated that it really is a /24 and should be masked that way. Or if the 0.0.0.15 mask is what you really want then the address 218.x.x.90 is outside the address range.
Perhaps you can clarify this a bit?
HTH
Rick
08-13-2007 09:20 AM
Hi,
I send you email with ful ACL. Thanks
Best regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide