Difficulty understanding the results of an ACL
z2y25
Registered Users Posts: 4 ■□□□□□□□□□
in CCNA & CCENT
Hi All,
I am trying to understand ACL's and am currently trying to open only telnet traffic between two nodes separated by a router. I have a GNS3 three node lab environment described as follows:
HostA
10.0.10.2
connected to
RouterA interface f0/0
10.0.10.1
RouterA interface f0/1
10.0.20.1
connected to
HostB 10.0.20.2
The ACL that I am applying to f0/0 is as follows:
config t
access-list 110 permit tcp 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 23
access-list 110 permit tcp 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255 eq 23
access-list 110 permit icmp any any
interface f0/0
ip access-group 110 in
exit
exit
show ip access-list
Extended IP access list 110
10 permit tcp 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255 eq telnet
20 permit tcp 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255 eq telnet
30 permit icmp any any
The behavior that results is:
Access from 10.0.10.2 to 10.0.20.2 permitted
Access from 10.0.20.2 to 10.0.10.2 not permitted
I have tried multiple variations of the above test that I can paste with results if you like however I haven't identified the correct ACL to allow only telnet traffic between two hosts. I've tried using other ports with the corresponding ACL port modification.
I don't understand why the second ACL is not permitting telnet traffic from 10.0.20.2 to 10.0.10.2. I've spent many hours reading about ACL's but can't identify what I am misunderstanding.
Your assistance is greatly appreciated.
I am trying to understand ACL's and am currently trying to open only telnet traffic between two nodes separated by a router. I have a GNS3 three node lab environment described as follows:
HostA
10.0.10.2
connected to
RouterA interface f0/0
10.0.10.1
RouterA interface f0/1
10.0.20.1
connected to
HostB 10.0.20.2
The ACL that I am applying to f0/0 is as follows:
config t
access-list 110 permit tcp 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 23
access-list 110 permit tcp 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255 eq 23
access-list 110 permit icmp any any
interface f0/0
ip access-group 110 in
exit
exit
show ip access-list
Extended IP access list 110
10 permit tcp 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255 eq telnet
20 permit tcp 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255 eq telnet
30 permit icmp any any
The behavior that results is:
Access from 10.0.10.2 to 10.0.20.2 permitted
Access from 10.0.20.2 to 10.0.10.2 not permitted
I have tried multiple variations of the above test that I can paste with results if you like however I haven't identified the correct ACL to allow only telnet traffic between two hosts. I've tried using other ports with the corresponding ACL port modification.
I don't understand why the second ACL is not permitting telnet traffic from 10.0.20.2 to 10.0.10.2. I've spent many hours reading about ACL's but can't identify what I am misunderstanding.
Your assistance is greatly appreciated.
Comments
-
busines4u
Member Posts: 67 ■■□□□□□□□□
Think about the direction the traffic is going to flow. Is this traffic going to be going "in" f0/0 or "out" f0/0. Also can you clarify what you are trying to accomplish, specifically. Also lets see the results you have so we can see what troubleshooting steps you have take .
-
z2y25
Registered Users Posts: 4 ■□□□□□□□□□
The goal is really to understand ACL's however the goal of this test is to allow only telnet traffic in both directions between the two devices.
Some other tests I have tried are:
Test 1
config t
access-list 110 permit tcp 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 23
access-list 110 permit ospf any any
access-list 110 permit icmp any any
interface f0/0
ip access-group 110 in
exit
exit
# Result
# Access from 10.0.10.2 to 10.0.20.2 permitted
# Access from 10.0.20.2 to 10.0.10.2 not permitted
Test 2
config t
access-list 110 permit tcp 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 23
access-list 110 permit tcp 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255 eq 23
access-list 110 permit ospf any any
access-list 110 permit icmp any any
interface f0/0
ip access-group 110 in
interface f0/1
ip access-group 110 in
exit
exit
# Result
# No access either direction
Test 3
config t
access-list 110 permit tcp 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255 eq 23
access-list 110 permit tcp 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255 eq 23
access-list 110 permit ospf any any
access-list 110 permit icmp any any
interface f0/0
ip access-group 110 in
ip access-group 110 out
interface f0/1
ip access-group 110 in
ip access-group 110 out
exit
exit
# Result
# No access either direction -
mikeybinec
Member Posts: 484 ■■■□□□□□□□
Put it on the virtual lines instead of the interface. Also, put log at the end of the access-list line so you can see how many times that particular line was in action (sh access-list )Cisco NetAcad Cuyamaca College
A.S. LAN Management 2010 Grossmont College
B.S. I.T. Management 2013 National University -
z2y25
Registered Users Posts: 4 ■□□□□□□□□□
I'm not trying to control telnet access to the router. I'm trying to control access through the router between the hosts:
" I haven't identified the correct ACL to allow only telnet traffic between two hosts." -
Jon_Cisco
Member Posts: 1,772 ■■■■■■■■□□
Welcome to the site!
Starting small and building up have you confirmed it works properly without the access list?
Can you paste the results here so we can see what you are seeing?
Your last response sounds like your frustrated. Remember every contributor is attempting to help you with a problem. Even if you don't feel they were very helpful. It is not likely anyone will post the actual answer to a question. More likely we will point you to things we think are worth looking into. Remember this site is geared towards studying and troubleshooting is all part of the learning process.
Good Luck! -
z2y25
Registered Users Posts: 4 ■□□□□□□□□□
Thanks. This is a lab environment with no configuration on the router other than the IP addresses assigned. The router passes telnet and all other traffic between the two hosts with no interruption prior to applying an ACL.
The results are:
From HostA
# telent 10.0.20.2
Trying 10.0.20.2...
Connected to 10.0.20.2.
Escape character is '^]'.
Trying SRA secure login:
User (root):
From HostB
# telent 10.0.20.2
Trying 10.0.20.2...
telnet: connect to address 10.0.10.2: Operation timed out
telnet: Unable to connect to remote host -
busines4u
Member Posts: 67 ■■□□□□□□□□
Try doing a "debug ip packet detail" on R1. This will show you what is going on. Below is the reason this is not working as you are expecting but, please try out the "debug" command I mentioned before reading below so that you can try and figure this out on your own.
The traffic is going from Host B (10.0.20.2) with a source port of a random number to a destination of Host A (10.0.10.2) with a destination port of 23. When the traffic gets to Host A it is going to try and respond with the source now being itself (10.0.10.2) and a source port of 23 and the destination being Host B (10.0.20.2) and the destination being the random port number that Host B chose when it setup the telnet session. Since this traffic is not permitted in your ACL (it does not match port 23) the traffic is denied and you can see this result when you do a "show access-list 110". In the output of the show access-list command you will see a "deny ip any any" statement with X amount of matches. Once you try your telnet again and repeat the show access-list command you can see that this X number of matches will increment.
I hop this helps you understand why you are seeing the results that you are seeing. -
DCD
Member Posts: 475 ■■■■□□□□□□
It not real a ccna level answer but you need to use a Reflective Access List. Your request traffic goes out on 23 but your return traffic use a different port on the return traffic.
