ACL Question for you guys

billscott92787

Hey, I have a question for anyone willing to explain. This is not a homework assignment or anything. I am checking out a lab activity for extended access lists. Here is what is says:

Step 1: Create an ACL

Please start by creating an extended IP access-list that will deny telnet packets from host 192.5.5.2 to any host on network 210.93.105.0

So I applied the following:

access-list 107 deny tcp 192.5.5.2 0.0.0.0 210.93.105.0 0.0.0.255 eq telnet
access-list 107 permit ip any any

It then has me apply it on the Ethernet 0 interface (ip access-group 107 in) command. This interface is the interface on the router which connects to the 192.5.5.2 network. The other network (210.93.105.0) is a remote network. I'm not understanding why you would use the "in" ip access-group 107 in. Because the question is worded to deny telnet packets from host 192.5.5.2 which is the network connected to this interface.


Wouldn't this mean that when a packet exists the network, it would reach the 210.93.105.0 network, but when that (210.93.105.0) network tries to send a packet back (using the TCP hand-shake) to establish the connection, it would be blocked at that point by the router? Not sure if my question makes sense let me know if you need me to clarify anything.

hypnotoad

When the packet comes IN to the router on eth 0, the router will apply the ACL right away, and see that it matches the criteria of source, destination, and protocol (in this case), so it will drop. Therefore, it will never get forwarded to the target network, so no handshake will start -- those particular packets will never exit the router...it gets shot down by the ACL before any more processing can occur.