Re: Extended Access List entry

edwardp · ‎06-24-2008

I have seen an extended access list entry in 2 different forms:

access-list 100 permit tcp any any eq telnet

and then like the next one with 'any' at the end of the statement

access-list 100 permit tcp any eq telnet

any

Kind of curious, why the 'any' at the end of the statement.

Jon Marshall · ‎06-24-2008

Edward

They are doing 2 different things.

The first line says

allow any host using any port to connect to any host on port 23

The second line says

allow any host using port 23 to connect to any host on any port.

The first line is the more common.

Jon

bmcginn · ‎06-24-2008

Mate,

In furtherance of what Jon has said:

access-list 100 permit tcp any any eq telnet

The 'access-list' word defines and ACL

the '100' identifies the ACL

the 'permit' is an ACL action

the 'tcp' (in conjunction with the permit) allows tcp traffic only

the first 'any' is the source address (ie any source address, as per Jon's post)

the second 'any' is the destination address (ie any destination address, as per Jon's post)

the 'eq' (short for equals) specifies a specific destination port

the 'telnet' is the destination port

access-list 100 permit tcp any eq telnet any

The 'access-list' word defines and ACL

the '100' identifies the ACL

the 'permit' is an ACL action

the 'tcp' (in conjunction with the permit) allows tcp traffic only

the first 'any' is the source address (ie any source address, as per Jon's post)

the 'eq' (short for equals) specifies a specific SOURCE port

the 'telnet' is the SOURCE port

the second 'any' is the destination address (ie any destination address, as per Jon's post)

The following page is a good reference for common Access-lists.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

Enjoy the ACL fun!!

Regards,

Brad

Richard Burts · ‎06-24-2008

Brad

I believe that this is a good explanation and approaches the queestion in much the same way that I was thinking when I read the original post.

I believe that it is especially important to emphasize that the placement of eq telnet determines whether telnet is the source port (implying that this is traffic from the telnet server going back to the telnet client) or is the destination port (implying that this is traffic from the telnet client to the telnet server).

I rated your post as it deserved.

HTH

Rick

HTH

Rick

bmcginn · ‎06-24-2008

Thanks Rick..

I've been watching the netpro site for a bit and have seen your posts. I respect you and am proud to get such nice feedback from you. Thanks.

I see you're now a gold star.. well done and congrats.. lots of hard work went into that no doubt!

Speak to you round the traps.

Brad

Jon Marshall · ‎06-25-2008

"I believe that it is especially important to emphasize that the placement of eq telnet determines whether telnet is the source port (implying that this is traffic from the telnet server going back to the telnet client) or is the destination port (implying that this is traffic from the telnet client to the telnet server). "

Hmmm, i thought that was what i did :-)

Brad, agree with Rick, excellent explanation, rated.

Jon

Richard Burts · ‎06-25-2008

Jon

While I agree with everything that you said, I felt that in your post the distinction between source port and destination port was implicit and Brad made it explicit. Trying to put myself into the position of the original poster who did not understand the functionality, I thought that making it explicit was a good thing.

HTH

Rick

HTH

Rick

Jon Marshall · ‎06-25-2008

Rick

No problem, it was said as much in jest as anything.

Jon