ACL List help please.

DANMOH009

Hi i hope someone can help think ive baffled my self,

Basically I am trying to create an extended access list which will allow telnet access for the subnet 192.168.10.0/25 and allow telnet access for the network 192.168.20.0/25, the rest of the networks in my lan i dont really want to have telnet access to the router.

Now the router i am put the acl has a serial interface 171.10.0.0/30 connected, and two sub interfaces 192.168.20.0/25 and 192.168.20.128/25,

Below is my ip acl after performing a show run, can someone please help me out and tell me what ive done wrong,


ip access-list extended TELNET
remark this permits telnet access for managers pcs on both tech and cserv
permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.1 eq telnet
permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.129 eq telnet
permit tcp 192.168.10.0 0.0.0.127 host 171.10.0.2 eq telnet
permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129 eq telnet
permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129
deny tcp any any eq telnet
permit ip any any



Thanks in advance

Dan

NetworkVeteran

DANMOH009 wrote: »

Now the router i am put the acl has a serial interface 171.10.0.0/30 connected, and two sub interfaces 192.168.20.0/25 and 192.168.20.128/25,

ip access-list extended TELNET
remark this permits telnet access for managers pcs on both tech and cserv
permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.1 eq telnet
permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.129 eq telnet
permit tcp 192.168.10.0 0.0.0.127 host 171.10.0.2 eq telnet

You probably forgot to apply this using an access-class.

I would create a loopback interface and address to use for this.

I also wonder if you really need anything beyond a good password and banner.

DANMOH009

This is just for practicing purposes only preparing for CCNA, i have another access list which i applied to the VTY lines which works fine, but wanted to try a different approach on this router but i have done something wrong dunno wehre though?

NetworkVeteran

Did you apply this using the access-class or access-group command? Just as important as the access-list you create is how you have applied it.

MrXpert

As networkVeteran says do check whether you applied the access-group or access-class command. You could also verify the ACL is getting hits or not.

lantech

And when you say it's not working, what exactly do you mean? Kind be kind of hard to help when no one knows what exactly is happening.

DANMOH009

The ACL doesnt work, so for example if i want to telnet from a network that is restricted it wont restrict it.


I did use Access-group rather then class, because i am applying the ACL to the Fa0/0 interface, not the vty lines, i know you can apply it to vty lines, but i wanted to apply this particular one to the fa0/0 interface, is this allowed and will it work?

xbuzz

Probably best to paste in a full show run.

NetworkVeteran

DANMOH009 wrote: »

The ACL doesnt work, so for example if i want to telnet from a network that is restricted it wont restrict it.

And the output of "show access-list" and any other ACL commands you've learned is?

Now the router i am put the acl has a serial interface 171.10.0.0/30 connected, and two sub interfaces 192.168.20.0/25 and 192.168.20.128/25.. i am applying the ACL to the Fa0/0 interface

And the exact access-group commands you used to apply this is?
Why did you apply this to only one of the router's interfaces?
Did you traceroute to see if you covered the correct one?

is this allowed and will it work?

You can apply ACLs using either the access-group or access-class command.
There is insufficient info to determine whether this will stop telnet in your network.
I wouldn't apply the above ACL on a production router (overly broad).

sthompson86

I think he is trying to apply the ACL to the interface using an extended ACL. VS the tried and true VTY application. He did state he was trying something different. Nonetheless, just a guess.

DANMOH009

Ok here goes my Information.


Show Run.


CservRouter#show run
Building configuration...

Current configuration : 1482 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname CservRouter
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
ip access-group TELNET in
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 192.168.20.1 255.255.255.128
!
interface FastEthernet0/0.2
encapsulation dot1Q 20
ip address 192.168.20.129 255.255.255.128
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial1/0
ip address 171.10.0.2 255.255.255.252
ip access-group TELNET in
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.20.0 0.0.0.127 area 0
network 192.168.20.128 0.0.0.127 area 0
network 171.10.0.0 0.0.0.3 area 0
!
ip classless
!
!
ip access-list extended TELNET
remark this permits telnet access for managers pcs on both tech and cserv
permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.1 eq telnet
permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.129 eq telnet
permit tcp 192.168.10.0 0.0.0.127 host 171.10.0.2 eq telnet
permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129 eq telnet
permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129
deny tcp any any eq telnet
permit ip any any
!
!
!
!
!
line con 0
line vty 0 4
password cisco
login
!
!
!
end



Show ACL command


CservRouter#show access-lists
Extended IP access list TELNET
permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.1 eq telnet
permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.129 eq telnet
permit tcp 192.168.10.0 0.0.0.127 host 171.10.0.2 eq telnet
permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129 eq telnet
permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129
deny tcp any any eq telnet
permit ip any any




Exact group command was


CservRouter(config)#int fa 0/0
CservRouter(config-if)#ip access-group TELNET in
CservRouter(config-if)#int serial 1/0
CservRouter(config-if)#ip access-group TELNET in


**********

Hope this helps.

I originally only applied it to Fa interface i now applied it to serial alos. Do i need to apply to the sub interfaces??

NetworkVeteran

DANMOH009 wrote: »

I originally only applied it to Fa interface i now applied it to serial alos. Do i need to apply to the sub interfaces??

Yes. (Extra characters since TechExams wants a 7-character reply.)

NetworkVeteran

DANMOH009 wrote: »

CservRouter#show access-lists
Extended IP access list TELNET
permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.1 eq telnet
permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.129 eq telnet
permit tcp 192.168.10.0 0.0.0.127 host 171.10.0.2 eq telnet
permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129 eq telnet
permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129
deny tcp any any eq telnet
permit ip any any

The above indicates your your access-list is not applied correctly. No matches.

(Alternatively, nobody is using IP on your network!)

DANMOH009

I dont understand, they all have IP addresses assigned, is it basically just really really messed up.

NetworkVeteran

DANMOH009 wrote: »

I dont understand, they all have IP addresses assigned, is it basically just really really messed up.

show run wrote:

interface FastEthernet0/0
no ip address
ip access-group TELNET in
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 192.168.20.1 255.255.255.128
!
interface FastEthernet0/0.2
encapsulation dot1Q 20
ip address 192.168.20.129 255.255.255.128
!

Fa0/0 doesn't have an IP address assigned. It doesn't talk IP. Assigning an IP ACL isn't particularly effective on an interface that doesn't speak IP. Fa0/0.1 and Fa0/0.2 do have IP addresses. That's where you should be adding your ACL. If your ACL actually matches anything, that's typically seens in the output of "show access-list". I don't see any matches in your output.

DANMOH009

Whoop Whoop it works!


Thanks a million!

after assigning it to the sub- interfaces it worked.

Now iv got one more question, i just really want to understand it all before i move on.

In total in my network i have two routers both of which prevent telnet access.

ROUTER 1 = ACL is assigned on a router on the vty lines
and the
ROUTER 2 = ACL is assigned to the Sub-Interfaces (the ones i was just having trouble with).

Now my question is, whenever an unauthorized device trys to telnet to a Router 1 i get the message: % Connection refused by remote host



However when an unauthorized device trys to Telnet to ROUTER 2 i get the message: % Connection timed out; remote host not responding


So i know its petty but why the different messages?


thanks in advance, last question i promise

NetworkVeteran

DANMOH009 wrote: »

So i know its petty but why the different messages?


thanks in advance, last question i promise

Enable these debug commands:

debug ip icmp
debug ip tcp transaction

You will have your answers. Post the output to the thread and everyone can learn.

DANMOH009

awh nightmare!

I am doing it on PT and it doesn't have the debug ip tcp transaction

i did the debug ip icmp on the router, no results were displayed.


Thanks

NetworkVeteran

Ahh. GNS3 runs the full IOS and only takes a moment to setup a topology like this. Here we go--

This is applying it with an access-class:

R3#telnet 1.1.1.1
Trying 1.1.1.1 ...
% Connection refused by remote host
R3#
*Mar 2 15:15:07.378: TCP: Random local port generated 12347, network 1
*Mar 2 15:15:07.382: TCB65105460 created
*Mar 2 15:15:07.382: TCB65105460 setting property TCP_TOS (11) 660285B0
*Mar 2 15:15:07.382: TCB65105460 bound to UNKNOWN.12347
*Mar 2 15:15:07.386: TCB65105460 setting property unknown (23) 66028510
*Mar 2 15:15:07.386: Reserved port 12347 in Transport Port Agent for TCP IP type 1
*Mar 2 15:15:07.386: TCP: sending SYN, seq 4229261782, ack 0
*Mar 2 15:15:07.390: TCP0: Connection to 1.1.1.1:23, advertising MSS 536
*Mar 2 15:15:07.390: TCP0: state was CLOSED -> SYNSENT [12347 -> 1.1.1.1(23)]
R3#
*Mar 2 15:15:07.422: Released port 12347 in Transport Port Agent for TCP IP type 1 delay 240000
*Mar 2 15:15:07.422: TCP0: state was SYNSENT -> CLOSED [12347 -> 1.1.1.1(23)]
*Mar 2 15:15:07.426: TCP0: bad seg from 1.1.1.1 -- closing connection: port 12347 seq 0 ack 4229261783 rcvnxt 0 rcvwnd 0 len 0
*Mar 2 15:15:07.426: TCP0: connection closed - remote sent RST
*Mar 2 15:15:07.430: TCB 0x65105460 destroyed
R3#

This is applying it with an access-group--

R3#telnet 1.1.1.1
Trying 1.1.1.1 ...
% Destination unreachable; gateway or host down
R3#
*Mar 2 15:15:37.670: TCP: Random local port generated 35241, network 1
*Mar 2 15:15:37.674: TCB65105460 created
*Mar 2 15:15:37.674: TCB65105460 setting property TCP_TOS (11) 660285B0
*Mar 2 15:15:37.674: TCB65105460 bound to UNKNOWN.35241
*Mar 2 15:15:37.674: TCB65105460 setting property unknown (23) 66028510
*Mar 2 15:15:37.678: Reserved port 35241 in Transport Port Agent for TCP IP type 1
*Mar 2 15:15:37.678: TCP: sending SYN, seq 3263398922, ack 0
*Mar 2 15:15:37.678: TCP0: Connection to 1.1.1.1:23, advertising MSS 536
*Mar 2 15:15:37.682: TCP0: state was CLOSED -> SYNSENT [35241 -> 1.1.1.1(23)]
R3#
*Mar 2 15:15:37.730: ICMP: dst (150.1.31.3) administratively prohibited unreachable rcv from 150.1.31.1
*Mar 2 15:15:37.730: TCP0: ICMP destination unreachable received
*Mar 2 15:15:37.734: Released port 35241 in Transport Port Agent for TCP IP type 1 delay 240000
*Mar 2 15:15:37.734: TCP0: state was SYNSENT -> CLOSED [35241 -> 1.1.1.1(23)]
*Mar 2 15:15:37.738: TCB 0x65105460 destroyed
R3#

DANMOH009

Im still new to this, so its looking a bit confusing for me.


It looks like one connection accepted and was denied at the last stage, and the other just couldnt locate the network at all am i right? what key lines am i supposed to be looking at here?