More on Access Lists

I've seen some "practice" test questions out there relating to applying an access list on a router to prevent various types of access---telnet, ftp---to all networks attached to a particular router. Here's the text of what they consider to be the right answer:

Cisco1>en
Password: cisco
Cisco1#show access-lists
Cisco1#config t
Enter configuration commands, one per line. End with END.

Cisco1(config)#access-list 101 deny tcp any 192.168.32.1 0.0.0.0 eq 23

Cisco1(config)#access-list 101 deny tcp any 192.168.63.1 0.0.0.0 eq 23

Now, I don't think the wildcard mask is correct. Note that its set to match all the bits for the IP addresses of the 2 router interfaces. This seems to me that you're just blocking access to those ports, but what about other devices on the network with addresses other than for example 192.168.63.1? If you had 192.168.63.2 or .3 or .4 you'd still have access through the router, right? So the correct wildcard mask should be 0.0.0.255?

I tested this setup on my router simulator and this is exactly what I got. Can someone else provide a second opinion and tell me what's right or wrong here? Thanks!

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

forbesl

tech77 wrote:

I've seen some "practice" test questions out there relating to applying an access list on a router to prevent various types of access---telnet, ftp---to all networks attached to a particular router. Here's the text of what they consider to be the right answer:

Cisco1>en
Password: cisco
Cisco1#show access-lists
Cisco1#config t
Enter configuration commands, one per line. End with END.

Cisco1(config)#access-list 101 deny tcp any 192.168.32.1 0.0.0.0 eq 23

Cisco1(config)#access-list 101 deny tcp any 192.168.63.1 0.0.0.0 eq 23

Now, I don't think the wildcard mask is correct. Note that its set to match all the bits for the IP addresses of the 2 router interfaces. This seems to me that you're just blocking access to those ports, but what about other devices on the network with addresses other than for example 192.168.63.1? If you had 192.168.63.2 or .3 or .4 you'd still have access through the router, right? So the correct wildcard mask should be 0.0.0.255?

I tested this setup on my router simulator and this is exactly what I got. Can someone else provide a second opinion and tell me what's right or wrong here? Thanks!

The wildcard is not wrong. It's simply a "host" wildcard. The list is correct, but I don't know why they continue to write the lists this way for a host permit/deny. The easiest way to accurately rewrite this list so that you can see what they mean is:
access-list 101 deny tcp any host 192.168.32.1 eq 23
access-list 101 deny tcp any host 192.168.63.1 eq 23

BTW, this list blocks telnet to 192.168.32.1 and 192.168.63.1 not from those IP addresses. Look at it this way:
You have a router with two interfaces, s0 (WAN side - 192.168.32.1) and e0 (LAN side - 192.168.63.1), and you want to deny telnet access from any IP address to those interfaces.

In all actuality, the easist way to deny ALL telnet access to your router is to place "transport input none" on your vty lines and do not set a password for them, but this is just as effective. They're just trying to get you familiar with access list format and syntax.

tech77

Thanks to forbesl for the input. However, I think you missed what I was asking.

I know this is a wildcard mask, but what I think the example is doing is not blocking access to your entire network behind the router port. For example if the ip address of say the E0 port is 192.168.63.1 and the rest of your network follows that consecutively, or whatever, if you apply a wildcard mask of 0.0.0.0 its only going to block access to the E0 port and not the rest of the network.

So, if you sent a packet to 192.168.63.2 it would still go through because the ACL mask is 0.0.0.0. I'm just wondering if, to block access to the entire network in the example the wildcard needs to be 0.0.0.255. The from portion is irrelevant for the example. Its only concerned with inbound data.

My thinking is the access list needs to be this:

access-list 101 deny tcp any 192.168.63.0 0.0.0.255 eq 23 to keep all telnet out of the entire 192.168.63.x network. If you did a deny to
192.168.63.1 0.0.0.0 eq 23, it would only block telnet to that particular IP and not any others in the same subnet behind the interface, right? I'm just looking for a second opinion on this.

I also know that you can use the shorthand "any", but the exam wants to see the whole shebang written out completely. We're talking the formality of testing, not the casual syntax of real life. I don't think I can use that cool command "transport input none" on the exam.

forbesl

tech77 wrote:

Thanks to forbesl for the input. However, I think you missed what I was asking.

No, I didn't miss what you were asking. I was explaining the reason for the way they did the access list.

So, if you sent a packet to 192.168.63.2 it would still go through because the ACL mask is 0.0.0.0. I'm just wondering if, to block access to the entire network in the example the wildcard needs to be 0.0.0.255.

Yes all bits in the fourth octet would need to be denied if you want block telnet access to the entire network.

If you did a deny to
192.168.63.1 0.0.0.0 eq 23, it would only block telnet to that particular IP and not any others in the same subnet behind the interface, right?

Yes, that is correct. But since you didn't post the specific question you are refering to, I don't know the intention of the access list you posted. Did the question ask you how you block telnet access to the router, or did the question ask you how you block telnet access to the networks? You made a general reference to "practice" test questions (plural), not a particular question.

I also know that you can use the shorthand "any"....

....I wasn't referring to the "shorthand any" as you call it. I was referring to the fact that instead of using a host mask (0.0.0.0), you can simply input the word "host" followed by the host IP address:
Instead of :
access-list 101 deny tcp any 192.168.63.1 0.0.0.0 eq 23
It would be:
access-list 101 deny tcp any host 192.168.63.1 eq 23

If your "practice" test questions are braindumps from **** and such, I would suggest that you not believe everything you see. Instead, go to cisco.com and do some research on the format and syntax for access lists. You can't go wrong if you do that.

tech77

Thank you forbesl for more detailed input. This is all I wanted to confirm with someone because the question I was trying to answer wasn't clear on if it wants to block access to the router or the network behind the router:

Yes all bits in the fourth octet would need to be denied if you want block telnet access to the entire network.

The test questions I've seen are from those notorious **** and I'm not relying on them for the correct answers as they have a lot of errors on them. I do think they are useful for getting a sense of the types of questions you might see on the exam though. If they are your only study tool, then you're sunk.

However, I think there are a lot of poorly worded questions out there. You can write challenging questions that could apply to a range of correct answers, with one answer being more correct than all the others, but a few of thse are just badly done--on the Cisco exams and on various practice tests be they braindumps or from more legit sources like MeasureUp or Transcender.

keenon

access-list 101 deny tcp any host 192.168.63.1 eq 23

to my understanding that when denying tcp your effectively blocking all tcp traffic even when specifying a single port. you must allow some sort of traffic thru..is this still not the case

Drakonblayde

well, if you're only trying to deny access to those specific ip's or that network or whatever, then yes. If you set an access list up, then it automatically takes on an implicit deny for *all* traffic, so the last statement in the ACL does need to be permit ip any any, or yes, all traffic will be dropped by the implicit deny any any at the end of the ACL.

forbesl

keenon wrote:

access-list 101 deny tcp any host 192.168.63.1 eq 23

to my understanding that when denying tcp your effectively blocking all tcp traffic even when specifying a single port. you must allow some sort of traffic thru..is this still not the case

Yes, if that was the only entry in an access list, ALL IP traffic would still be blocked (not just TCP), because there is an implicit deny (deny ip any any) as the last entry in any access-list. To block only telnet to the host/hosts and allow other traffic:

access-list 101 deny tcp any host 192.168.32.1 eq 23
access-list 101 deny tcp any host 192.168.63.1 eq 23
access-list 101 permit ip any any

Late entry.....
Oops...Drakonblayde just stated pretty much the same thing above, but I started this post, then stepped away from my computer for a bit before submitting it.