cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
614
Views
10
Helpful
2
Replies

TCP handshake and ACLs

misuchiru03
Level 1
Level 1

Good day,

To start off, I am new to Cisco and networking and am currently taking a course.  I configured an ACL, per our assignment, to accomplish what the task was, and it worked but was not the standard ACL configuration command that the instructor said we were to use; and I don't know why it worked.  Let me describe what's going on.  Here's the configuration of the lab:

We have 12 computers.  Each computer is connected to its own 3750 and 2960.  Every pair of computers (1&2, 3&4, etc) is a "pod" which connects together to a LAN.  6 separate LANs connect together to a single 3750.  Say we give the WAN an IP address of 187.149.150.X (where X is the computer number: 1-12).

The task is to configure the ACL to allow telnet in the port range 22 - 23.  I am computer 2 and need to access computer 4, while computer 12 needs to access me at computer 2 (repeat for all computers this pattern).  I should enter the following into the console for my 3750:

permit tcp host 187.149.150.12 any range 22 23
permit tcp host 187.149.150.4 any range 22 23 established

I did not enter this.  Instead, I entered:

permit tcp host 187.149.150.12 any range 22 23
permit tcp 187.149.150.4 187.149.150.2 any range 22 23 established

When I displayed my ACL, it changed 187.149.150.4 to 0.0.0.4 so it read:

30 permit tcp 0.0.0.4 187.149.150.2 any range 22 23 telnet

My questions are why does my ACL work?  And does this open any problems up, besides the fact that it's telnet?

From what I am understanding is it used the second IP address given as a wildcard and defaulted the first address to 0.0.0.4, and now it allows all TCP connections on ports 22-23 from 0.0.0.4 to 187.149.150.6 that are established by my IP address which is why I was able to connect to 187.149.150.4 via telnet.  Is this correct?

 

Thanks in advance!

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

When I displayed my ACL, it changed 187.149.150.4 to 0.0.0.4 so it read:

30 permit tcp 0.0.0.4 187.149.150.2 any range 22 23 telnet

You have made a mistake in your original command. Note this:

permit tcp 187.149.150.4 187.149.150.2 any range 22 23 established

The text in red is where the problem lies. The entire red part is the specification of the intended source of packets (the destination is defined as any). Recall that either the source or the destination in an extended ACL entry can be specified using one of the following three variants:

  1. host ip-address
  2. ip-address wildcard-mask
  3. any

Your syntax corresponds to the second variant with ip-address and wildcard-mask. Now, you have inadvertently entered the 187.149.150.2 as the wildcard mask. This particular number used as a wildcard mask has no sensible meaning - the switch simply considers it to be a set of binary 0s and 1s telling which bits of a packet source IP address shall be be compared to 187.149.150.4 (0s) and which bits shall be ignored (1s). Notice the coincidence: The first three octets of your wildcard mask match the octets in the source IP address, meaning they both have the same 0s and 1s in the exactly same places:

187.149.150 = 10111011.10010101.10010110

What does it now mean if the first three octets of the IP address mach the first three octets of the wildcard mask? Let me rewrite the same number again, just in the wildcard mask, replace the '1' with 'i' (ignore) and '0' with 'm' (match):

Address = 10111011.10010101.10010110
W-Mask  = imiiimii.immimimi.immimiim

Note that this wildcard mask tells the device to ignore exactly those bits of the source IP address that are currently set to '1', and match those bits of the source IP that are currently set to '0'. In other words, this wildcard mask compares only those bits of a packet's source IP address where the ACL source IP address has its bits set to 0. The bits that were set to 1 are completely ignored by the wildcard mask, and in the ACL stored in the running-config, these ignored bits are cleared and thus set to 0. That is why your ACL turned to 0.0.0 in its first three octets - because the only bits being compared are the ones those were set to 0 anyway, and the other bits are ignored and cleared automatically.

It is not trivial to evaluate all possible source IP addresses that would provide a successful match on the first three octets given the address 0.0.0. and wildcard mask 187.149.150. They do not form any nice-looking sequence of numbers. However, there is an awful lot of them: Because there are in total 14 bits in the wildcard mask set to 1 and thus ignored in packets' source IP address, there are 2^14 = 16384 different addresses that would match.

The last octet in the ACL source IP is 4 and in the wildcard mask, it is 2. Writing out in binary again, this is what we get:

Address = 4 = 00000100 = 00000100
W-Mask  = 2 = 00000010 = mmmmmmim

Note now what the wildcard mask says here: It requires that in the fourth octet, all bits except the 2nd are compared and must match. So if the 2nd bit that evaluates to 2 may or may not be set (that's why it is ignored) and all other bits in the address evaluate to 4, this combination of an address and wildcard mask matches two values: 4, and 4+2=6.

With the options on the last octet, the total count of all IP addresses that would match this ACL is 32768 (2x16384).

My questions are why does my ACL work?

It's just a happy coincidence that when the wildcard mask 187.149.150.2 is applied to the incoming packet's source IP address, the only remaining bits that are matched happen to be set to 0. This ACL is not correct, and it only happens to work in your particular case with your particular IPs.

And does this open any problems up, besides the fact that it's telnet?

Yes - it does not do what you think it does. The address range permitted by this wildcard mask is completely screwed. Just think of this sequence of IP addresses (a very small snippet of the entire set):

0.0.0.4
0.0.0.6
0.0.2.4
0.0.2.6
0.0.4.4
0.0.4.6
0.0.6.4
0.0.6.6
0.0.16.4
0.0.16.6
0.0.18.4
0.0.18.6
0.0.20.4
0.0.20.6
0.0.22.4
0.0.22.6
0.0.128.4
0.0.128.6
0.0.130.4
0.0.130.6
...

187.149.128.4
187.149.128.6
187.149.130.4
187.149.130.6
187.149.132.4
187.149.132.6
187.149.134.4
187.149.134.6
187.149.144.4
187.149.144.6
187.149.146.4
187.149.146.6
187.149.148.4
187.149.148.6
187.149.150.4
187.149.150.6

(Produced by a small program in C I've written that went through all 2^32 possible IP addresses and tested whether combining them with the wildcard mask of 187.149.150.2 produced the result 0.0.0.4.)

now it allows all TCP connections on ports 22-23 from 0.0.0.4 to 187.149.150.6

Not just from 0.0.0.4 but from a set of 32768 addresses whose small snippet is shown above.

Feel welcome to ask further!

Best regards,
Peter

View solution in original post

2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

When I displayed my ACL, it changed 187.149.150.4 to 0.0.0.4 so it read:

30 permit tcp 0.0.0.4 187.149.150.2 any range 22 23 telnet

You have made a mistake in your original command. Note this:

permit tcp 187.149.150.4 187.149.150.2 any range 22 23 established

The text in red is where the problem lies. The entire red part is the specification of the intended source of packets (the destination is defined as any). Recall that either the source or the destination in an extended ACL entry can be specified using one of the following three variants:

  1. host ip-address
  2. ip-address wildcard-mask
  3. any

Your syntax corresponds to the second variant with ip-address and wildcard-mask. Now, you have inadvertently entered the 187.149.150.2 as the wildcard mask. This particular number used as a wildcard mask has no sensible meaning - the switch simply considers it to be a set of binary 0s and 1s telling which bits of a packet source IP address shall be be compared to 187.149.150.4 (0s) and which bits shall be ignored (1s). Notice the coincidence: The first three octets of your wildcard mask match the octets in the source IP address, meaning they both have the same 0s and 1s in the exactly same places:

187.149.150 = 10111011.10010101.10010110

What does it now mean if the first three octets of the IP address mach the first three octets of the wildcard mask? Let me rewrite the same number again, just in the wildcard mask, replace the '1' with 'i' (ignore) and '0' with 'm' (match):

Address = 10111011.10010101.10010110
W-Mask  = imiiimii.immimimi.immimiim

Note that this wildcard mask tells the device to ignore exactly those bits of the source IP address that are currently set to '1', and match those bits of the source IP that are currently set to '0'. In other words, this wildcard mask compares only those bits of a packet's source IP address where the ACL source IP address has its bits set to 0. The bits that were set to 1 are completely ignored by the wildcard mask, and in the ACL stored in the running-config, these ignored bits are cleared and thus set to 0. That is why your ACL turned to 0.0.0 in its first three octets - because the only bits being compared are the ones those were set to 0 anyway, and the other bits are ignored and cleared automatically.

It is not trivial to evaluate all possible source IP addresses that would provide a successful match on the first three octets given the address 0.0.0. and wildcard mask 187.149.150. They do not form any nice-looking sequence of numbers. However, there is an awful lot of them: Because there are in total 14 bits in the wildcard mask set to 1 and thus ignored in packets' source IP address, there are 2^14 = 16384 different addresses that would match.

The last octet in the ACL source IP is 4 and in the wildcard mask, it is 2. Writing out in binary again, this is what we get:

Address = 4 = 00000100 = 00000100
W-Mask  = 2 = 00000010 = mmmmmmim

Note now what the wildcard mask says here: It requires that in the fourth octet, all bits except the 2nd are compared and must match. So if the 2nd bit that evaluates to 2 may or may not be set (that's why it is ignored) and all other bits in the address evaluate to 4, this combination of an address and wildcard mask matches two values: 4, and 4+2=6.

With the options on the last octet, the total count of all IP addresses that would match this ACL is 32768 (2x16384).

My questions are why does my ACL work?

It's just a happy coincidence that when the wildcard mask 187.149.150.2 is applied to the incoming packet's source IP address, the only remaining bits that are matched happen to be set to 0. This ACL is not correct, and it only happens to work in your particular case with your particular IPs.

And does this open any problems up, besides the fact that it's telnet?

Yes - it does not do what you think it does. The address range permitted by this wildcard mask is completely screwed. Just think of this sequence of IP addresses (a very small snippet of the entire set):

0.0.0.4
0.0.0.6
0.0.2.4
0.0.2.6
0.0.4.4
0.0.4.6
0.0.6.4
0.0.6.6
0.0.16.4
0.0.16.6
0.0.18.4
0.0.18.6
0.0.20.4
0.0.20.6
0.0.22.4
0.0.22.6
0.0.128.4
0.0.128.6
0.0.130.4
0.0.130.6
...

187.149.128.4
187.149.128.6
187.149.130.4
187.149.130.6
187.149.132.4
187.149.132.6
187.149.134.4
187.149.134.6
187.149.144.4
187.149.144.6
187.149.146.4
187.149.146.6
187.149.148.4
187.149.148.6
187.149.150.4
187.149.150.6

(Produced by a small program in C I've written that went through all 2^32 possible IP addresses and tested whether combining them with the wildcard mask of 187.149.150.2 produced the result 0.0.0.4.)

now it allows all TCP connections on ports 22-23 from 0.0.0.4 to 187.149.150.6

Not just from 0.0.0.4 but from a set of 32768 addresses whose small snippet is shown above.

Feel welcome to ask further!

Best regards,
Peter

misuchiru03
Level 1
Level 1

Thank you, Peter.  After the correct answer was provided to me during the class, it makes more sense than my initial thought, but I was still clueless as to why mine worked.  As you let me know, that is the other thing that came to mind; basically giving every IP address up to 187.149.150.6 that had a 2 and/or a 4 bit turned on in the last octet to utilize TCP.

I have now more understanding on this subject and really appreciate the knowledge.  One step closer to better creating my network.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: