05-10-2010 10:15 PM - edited 03-06-2019 11:01 AM
I have 2 access-lists:
Extended IP access list 100
10 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq 22
20 permit tcp 172.16.16.0 0.0.0.15 eq telnet host 172.16.48.63
Extended IP access list 101
10 permit tcp host 172.16.48.63 eq 22 172.16.16.0 0.0.0.15
20 permit tcp host 172.16.48.63 172.16.16.0 0.0.0.15 eq telnet
applied to router LAN interfaces below:
int fa0/0
ip access-group 100 in
int fa0/1
ip access-group 101 in
can someone explain why hosts in network 172.16.16.0 are able to SSH but not telnet to host 172.16.48.63?
Also, does it make a different with eq [port #] at the end and in the middle of the statement?
Thanks
Pei Wai
Solved! Go to Solution.
05-10-2010 10:43 PM
Hi,
access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23
access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43
On the first line the destination port is 23 and on the second line the source port is 23.
So, yes both lines are permitting port 23 but are completely different since one is referring to the source
port of the connection and the other one as the destination port.
Federico.
05-10-2010 10:44 PM
leepeiwai wrote:
jon.marshall wrote:
access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23 means allows any host in the 172.16.16.1 -> 14 range to connect to port 23 (telnet) on 172.16.18.43. So you are telnetting to 172.16.18.43access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43 means allow any host in the 172.16.16.1 -> 14 range to send traffic from port 23 (telnet) to 172.16.18.43. So you are telnetting from 172.16.16.1 -> 14 to host 172.16.18.43.
Thanks Jon for your quick reply.
I am sorry i do not see the difference between having eq 23 at the end and middle of permit statement. They both allow host to telnet to 172.16.18.43?
PeiWai
No they don't.
access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq 23
means host 1.1.1.1 can telnet to 2.2.2.2. So the telnet server is running on host 2.2.2.2.
src IP 1.1.1.1
src port - random port
destination IP 2.2.2.2
destination port 23 (telnet)
access-list 101 permit tcp host 1.1.1.1 eq telnet host 2.2.2.2
means host 1.1.1.1 is running the telnet server and you are allowing host 1.1.1.1 to send packets from it's telnet server back to host 2.2.2.2
src IP 1.1.1.1
src port 23 (telnet)
destination IP 2.2.2.2
destination port - random port
Jon
05-10-2010 10:23 PM
leepeiwai wrote:
I have 2 access-lists:
Extended IP access list 100
10 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq 22
20 permit tcp 172.16.16.0 0.0.0.15 eq telnet host 172.16.48.63Extended IP access list 101
10 permit tcp host 172.16.48.63 eq 22 172.16.16.0 0.0.0.15
20 permit tcp host 172.16.48.63 172.16.16.0 0.0.0.15 eq telnetapplied to router LAN interfaces below:
int fa0/0
ip access-group 100 in
int fa0/1
ip access-group 101 incan someone explain why hosts in network 172.16.16.0 are able to SSH but not telnet to host 172.16.48.63?
Also, does it make a different with eq [port #] at the end and in the middle of the statement?
Thanks
Pei Wai
Pei
Yes it does make a difference ie.
access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23 means allows any host in the 172.16.16.1 -> 14 range to connect to port 23 (telnet) on 172.16.18.43. So you are telnetting to 172.16.18.43
access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43 means allow any host in the 172.16.16.1 -> 14 range to send traffic from port 23 (telnet) to 172.16.18.43. So you are telnetting from 172.16.16.1 -> 14 to host 172.16.18.43.
So make your acls match ie. assuming 172.16.16.x hosts come in on fa0/0 and host 172.16.18.43 is reachable via the fa0/1 interface -
Extended IP access list 100
10 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq 22
20 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq telnet
Extended IP access list 101
10 permit tcp host 172.16.48.63 eq 22 172.16.16.0 0.0.0.15
20 permit tcp host 172.16.48.63 eq telnet 172.16.16.0 0.0.0.15
Jon
05-10-2010 10:39 PM
jon.marshall wrote:
access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23 means allows any host in the 172.16.16.1 -> 14 range to connect to port 23 (telnet) on 172.16.18.43. So you are telnetting to 172.16.18.43access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43 means allow any host in the 172.16.16.1 -> 14 range to send traffic from port 23 (telnet) to 172.16.18.43. So you are telnetting from 172.16.16.1 -> 14 to host 172.16.18.43.
Thanks Jon for your quick reply.
I am sorry i do not see the difference between having eq 23 at the end and middle of permit statement. They both allow host to telnet to 172.16.18.43?
PeiWai
05-10-2010 10:43 PM
Hi,
access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23
access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43
On the first line the destination port is 23 and on the second line the source port is 23.
So, yes both lines are permitting port 23 but are completely different since one is referring to the source
port of the connection and the other one as the destination port.
Federico.
05-10-2010 10:52 PM
Thanks Federico
05-10-2010 10:44 PM
leepeiwai wrote:
jon.marshall wrote:
access-list 101 permit tcp 172.16.16.0 0.0.0.15 host 172.16.18.43 eq 23 means allows any host in the 172.16.16.1 -> 14 range to connect to port 23 (telnet) on 172.16.18.43. So you are telnetting to 172.16.18.43access-list 101 permit tcp 172.16.16.0 0.0.0.15 eq 23 host 172.16.18.43 means allow any host in the 172.16.16.1 -> 14 range to send traffic from port 23 (telnet) to 172.16.18.43. So you are telnetting from 172.16.16.1 -> 14 to host 172.16.18.43.
Thanks Jon for your quick reply.
I am sorry i do not see the difference between having eq 23 at the end and middle of permit statement. They both allow host to telnet to 172.16.18.43?
PeiWai
No they don't.
access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq 23
means host 1.1.1.1 can telnet to 2.2.2.2. So the telnet server is running on host 2.2.2.2.
src IP 1.1.1.1
src port - random port
destination IP 2.2.2.2
destination port 23 (telnet)
access-list 101 permit tcp host 1.1.1.1 eq telnet host 2.2.2.2
means host 1.1.1.1 is running the telnet server and you are allowing host 1.1.1.1 to send packets from it's telnet server back to host 2.2.2.2
src IP 1.1.1.1
src port 23 (telnet)
destination IP 2.2.2.2
destination port - random port
Jon
05-10-2010 10:51 PM
Got it, thanks Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide