09-02-2009 02:26 PM - edited 03-06-2019 07:33 AM
Topology:
Router-A----Router-B------Router-C
Am allowing telnet connection to router C loopback from router-A loopback,the telnet is successful by testing command telnet X.X.X.X 23 when i apply a access-group IN on Router-B,
I want to enable port 5555 as a destination on Router-C loopback with any soucrce port,
My config on Router-B is
ip access-list extended test
permit tcp host X.X.X.X host X.X.X.X eq 5555.
Am trying to test the connection from Router-A as:
telnet <router-C loopback> 5555
it says me connection refused,
How can i be confirmed my access-list is working on this port.
Solved! Go to Solution.
09-04-2009 06:34 AM
I can't speak for ASA behavior. I don't work on that product line.
09-02-2009 03:25 PM
Disable ip route-cache on Router B's interfaces and debug ip detail on Router B.
You can also enable HTTP on Router C and change the default port from 80 to 5555 with the command ip http port 5555 to avoid the connection refused message. As you know, an application needs to have that port opened to accept your request.
HTH,
__
Edison
09-03-2009 01:13 PM
Hi ediortiz
i have enabled telnet from A to C,
permit tcp host 10.25.3.8 host 10.28.70.1 eq telnet
But when i try to telnet from C to A it does'nt work,i have to specify another access-list:
permit tcp host 10.25.3.8 eq telnet host 10.28.70.1
I want proper understanding of this can u please
As i know in ASA it is stateful firewall which ever connection goes out it is permited back in regardless that traffic is denied on outside interface of ASA.
I mean to say if a telnet is block on outside interface and if a inside host initiates a telnet to any destination device outside the connection is successful,
Is the behaviour of router access-list is different than ASA access-list.
09-03-2009 04:14 PM
You need to understand the direction on the ACL and also who is providing the service.
With this example:
permit tcp host 10.25.3.8 host 10.28.70.1 eq telnet
10.25.3.8 is the telnet client and 10.28.70.1 is the telnet server.
The ACL direction must be 'in' if traffic is coming from 10.25.3.8.
__
Edison.
09-03-2009 04:29 PM
Hi,
U r Correct ediortiz
I have enabled telnet traffic from A to C it works fine from A with an access-list applied on B IN interface,(traffic coming fron A)
2 question:
There is no such outbound access-list on B going towards A,everyone is permited.
when i initiate a telnet connection from C to A i have to add this access-list
permit tcp host 10.25.3.8 eq telnet host 10.28.70.1 on B IN interface.WHY???????
without the above access-list it is
unsuccessful.
09-03-2009 05:48 PM
when i initiate a telnet connection from C to A i have to add this access-list
permit tcp host 10.25.3.8 eq telnet host 10.28.70.1 on B IN interface.WHY???????
Router A is responding the telnet request from Router C and it is acting as a telnet server, hence you need to allow this flow on the 'in' direction on Router B.
You need to remember of the implicit deny all.
__
Edison.
Please rate helpful posts
09-04-2009 02:01 AM
Hi Edison,
Is the same behaviour on ASA,???
As i have heared that ASA is stateful it maintains the connection table for packets going outbound,Assume B is ASA and on B ouside interface deny ip any any command is executed,If i initiate telnet connnection from C to A the traffic will permited or denied while returning from A.????
09-04-2009 06:34 AM
I can't speak for ASA behavior. I don't work on that product line.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide