ACL doubt.again.Sorry!!
Dubuku57
Member Posts: 81 ■■□□□□□□□□
in CCNA & CCENT
Hi everyone,
This is following the post "ACL - Back and Forth?"..you guys gave some valuable advice and clarifications but i was mulling on it more and have just 1 more teeny doubt..
Say an ACL applied, prevents Host B from telnetting Host F. Since the port numbers would be flipped when HOST F tries to telnet B, it was said that the traffic would get through.
Okay...BUT...telnet uses TCP protocol(with the SYN and ACK) so when Host F tries to telnet B, it wouldnt be able to receive the ACK from B so telnet wont b able to be established from Host F to B also right??
Sorry for being such a bug..Pls someone clarify this for too? Thanks a million in advance...
This is following the post "ACL - Back and Forth?"..you guys gave some valuable advice and clarifications but i was mulling on it more and have just 1 more teeny doubt..
Say an ACL applied, prevents Host B from telnetting Host F. Since the port numbers would be flipped when HOST F tries to telnet B, it was said that the traffic would get through.
Okay...BUT...telnet uses TCP protocol(with the SYN and ACK) so when Host F tries to telnet B, it wouldnt be able to receive the ACK from B so telnet wont b able to be established from Host F to B also right??
Sorry for being such a bug..Pls someone clarify this for too? Thanks a million in advance...
Comments
-
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Hi everyone,
This is following the post "ACL - Back and Forth?"..you guys gave some valuable advice and clarifications but i was mulling on it more and have just 1 more teeny doubt..
Say an ACL applied, prevents Host B from telnetting Host F. Since the port numbers would be flipped when HOST F tries to telnet B, it was said that the traffic would get through.
Okay...BUT...telnet uses TCP protocol(with the SYN and ACK) so when Host F tries to telnet B, it wouldnt be able to receive the ACK from B so telnet wont b able to be established from Host F to B also right??
Sorry for being such a bug..Pls someone clarify this for too? Thanks a million in advance...
I think it depends on how you apply the ACL. If you apply it as outgoing on the interface I think that you will never get the ACK because of the fact that the SYN packet would get dropped. I think if you apply it to the vty line you would not get the ACK but the SYN would get sent. They would just be dropped by the recieving router. I could be wrong though. I will be working in my lab a little later so I will be able to tell you very soon. -
wastedtime
Member Posts: 586 ■■■■□□□□□□
I might be going over some stuff you already know but I think you are thinking a bit too much into it. Just remember that most clients (to include telnet clients) are going to pick a random port outside of the well-known port numbers. The machine that you are telneting to is going to be on the well-known port 23 which is what the word telnet stands for. If you put 23 there it would be the same thing and the port at the end is just checked against the destination not the source of the packet.
If you applied that extended ACL to all your ports on the incoming then yes it would block it. If you applied it to just one port in an example like this where <---> is the router and FA0/0 and FA0/1 where your ports and the ACL is applied to the incoming of FA0/0.
Host B
FA0/0<--->FA0/1
Host F
Host B telneting to Host F
SYN would be source Host B destination Host F port 23
and would be blocked at that point
Host F telneting to Host B
SYN would be source Host F on random port destination Host B port 23
That wouldn't get checked by the ACL
ACK would be source Host B on port 23 but the destination would be a random port on Host F and would NOT be blocked because it is looking for port 23 on the destination not the random port.
SYN ACK would be the same as SYN and wouldn't be checked by the router
now if you had a acl like this
access-list 101 deny tcp any any eq telnet
access-list 101 permit ip any any
It would still let the traffic through.
If you applied that to both interfaces on the incoming access-group it would block both.
or if you applied that to in and out on one of the interfaces it would block both. But the port at the end is just checked against the destination not the source of the packet.
Disclaimer:
If any of this is incoherent I blame it on only having a couple of hours of sleep. -
Dubuku57
Member Posts: 81 ■■□□□□□□□□
Thanks for the uber quick response!I think it depends on how you apply the ACL. If you apply it as outgoing on the interface I think that you will never get the ACK because of the fact that the SYN packet would get dropped. I think if you apply it to the vty line you would not get the ACK but the SYN would get sent. They would just be dropped by the recieving router. I could be wrong though. I will be working in my lab a little later so I will be able to tell you very soon.
When u say apply onto a vty line, the effect would be the same as applying ext acl to the serial int with port 23? as long as the in/out and access-class/ip access-group are correctly configured? -
Dubuku57
Member Posts: 81 ■■□□□□□□□□
Thanks wastedtime! this is sorta what the others also said but in different words, i think..understood those explainations and then went confused myself again...haiz..wastedtime wrote: »I might be going over some stuff you already know but I think you are thinking a bit too much into it. Just remember that most clients (to include telnet clients) are going to pick a random port outside of the well-known port numbers. The machine that you are telneting to is going to be on the well-known port 23 which is what the word telnet stands for. If you put 23 there it would be the same thing and the port at the end is just checked against the destination not the source of the packet.
If you applied that extended ACL to all your ports on the incoming then yes it would block it. If you applied it to just one port in an example like this where <---> is the router and FA0/0 and FA0/1 where your ports and the ACL is applied to the incoming of FA0/0.
Host B
FA0/0<--->FA0/1
Host F
Host B telneting to Host F
SYN would be source Host B destination Host F port 23
and would be blocked at that point
Host F telneting to Host B
SYN would be source Host F on random port destination Host B port 23
That wouldn't get checked by the ACL
ACK would be source Host B on port 23 but the destination would be a random port on Host F and would NOT be blocked because it is looking for port 23 on the destination not the random port.
SYN ACK would be the same as SYN and wouldn't be checked by the router
now if you had a acl like this
access-list 101 deny tcp any any eq telnet
access-list 101 permit ip any any
It would still let the traffic through.
If you applied that to both interfaces on the incoming access-group it would block both.
or if you applied that to in and out on one of the interfaces it would block both. But the port at the end is just checked against the destination not the source of the packet.
Disclaimer:
If any of this is incoherent I blame it on only having a couple of hours of sleep.
Knwminus, im not sure what ur gonna check out in the lab, but im waiting to hear the results anyway!!=) Thanks too! -
Dubuku57
Member Posts: 81 ■■□□□□□□□□
Hey guys,
Just wanted to let you knwo that i tested the ACL in PacketTracer and yes, the applied ACL doesnt block HostF telnetting ot HostB! Yay.Thanks for ya help!
Till next time... -
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Thanks for the uber quick response!
When u say apply onto a vty line, the effect would be the same as applying ext acl to the serial int with port 23? as long as the in/out and access-class/ip access-group are correctly configured?
No not the ports per se. I meant apply a acl to the telnet lines there selves. How should I restrict access to my router?
You would not be using an Extended ACL. Just a Standard one.
