ACL List help please.

DANMOH009DANMOH009 Posts: 241Member
Hi i hope someone can help think ive baffled my self,

Basically I am trying to create an extended access list which will allow telnet access for the subnet 192.168.10.0/25 and allow telnet access for the network 192.168.20.0/25, the rest of the networks in my lan i dont really want to have telnet access to the router.

Now the router i am put the acl has a serial interface 171.10.0.0/30 connected, and two sub interfaces 192.168.20.0/25 and 192.168.20.128/25,

Below is my ip acl after performing a show run, can someone please help me out and tell me what ive done wrong,


ip access-list extended TELNET
remark this permits telnet access for managers pcs on both tech and cserv
permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.1 eq telnet
permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.129 eq telnet
permit tcp 192.168.10.0 0.0.0.127 host 171.10.0.2 eq telnet
permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129 eq telnet
permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129
deny tcp any any eq telnet
permit ip any any



Thanks in advance

Dan

Comments

  • NetworkVeteranNetworkVeteran Posts: 2,338Member
    DANMOH009 wrote: »
    Now the router i am put the acl has a serial interface 171.10.0.0/30 connected, and two sub interfaces 192.168.20.0/25 and 192.168.20.128/25,

    ip access-list extended TELNET
    remark this permits telnet access for managers pcs on both tech and cserv
    permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.1 eq telnet
    permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.129 eq telnet
    permit tcp 192.168.10.0 0.0.0.127 host 171.10.0.2 eq telnet

    You probably forgot to apply this using an access-class.

    I would create a loopback interface and address to use for this.

    I also wonder if you really need anything beyond a good password and banner.
  • DANMOH009DANMOH009 Posts: 241Member
    This is just for practicing purposes only preparing for CCNA, i have another access list which i applied to the VTY lines which works fine, but wanted to try a different approach on this router but i have done something wrong dunno wehre though?
  • NetworkVeteranNetworkVeteran Posts: 2,338Member
    Did you apply this using the access-class or access-group command? Just as important as the access-list you create is how you have applied it.
  • MrXpertMrXpert Posts: 586Member
    As networkVeteran says do check whether you applied the access-group or access-class command. You could also verify the ACL is getting hits or not.
    I'm an Xpert at nothing apart from remembering useless information that nobody else cares about.
  • lantechlantech Posts: 329Member
    And when you say it's not working, what exactly do you mean? Kind be kind of hard to help when no one knows what exactly is happening.
    2012 Certification Goals

    CCENT: 04/16/2012
    CCNA: TBD
  • DANMOH009DANMOH009 Posts: 241Member
    The ACL doesnt work, so for example if i want to telnet from a network that is restricted it wont restrict it.


    I did use Access-group rather then class, because i am applying the ACL to the Fa0/0 interface, not the vty lines, i know you can apply it to vty lines, but i wanted to apply this particular one to the fa0/0 interface, is this allowed and will it work?
  • xbuzzxbuzz Posts: 122Member
    Probably best to paste in a full show run.
  • NetworkVeteranNetworkVeteran Posts: 2,338Member
    DANMOH009 wrote: »
    The ACL doesnt work, so for example if i want to telnet from a network that is restricted it wont restrict it.
    And the output of "show access-list" and any other ACL commands you've learned is?
    Now the router i am put the acl has a serial interface 171.10.0.0/30 connected, and two sub interfaces 192.168.20.0/25 and 192.168.20.128/25.. i am applying the ACL to the Fa0/0 interface
    And the exact access-group commands you used to apply this is?
    Why did you apply this to only one of the router's interfaces?
    Did you traceroute to see if you covered the correct one?
    is this allowed and will it work?
    You can apply ACLs using either the access-group or access-class command.
    There is insufficient info to determine whether this will stop telnet in your network.
    I wouldn't apply the above ACL on a production router (overly broad).
  • sthompson86sthompson86 Posts: 370Member
    I think he is trying to apply the ACL to the interface using an extended ACL. VS the tried and true VTY application. He did state he was trying something different. Nonetheless, just a guess.
    Currently Reading: Again to Carthage - CCNA/Security
  • DANMOH009DANMOH009 Posts: 241Member
    Ok here goes my Information.


    Show Run.


    CservRouter#show run
    Building configuration...

    Current configuration : 1482 bytes
    !
    version 12.2
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname CservRouter
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    no ip address
    ip access-group TELNET in
    duplex auto
    speed auto
    !
    interface FastEthernet0/0.1
    encapsulation dot1Q 10
    ip address 192.168.20.1 255.255.255.128
    !
    interface FastEthernet0/0.2
    encapsulation dot1Q 20
    ip address 192.168.20.129 255.255.255.128
    !
    interface FastEthernet0/1
    no ip address
    duplex auto
    speed auto
    shutdown
    !
    interface Serial1/0
    ip address 171.10.0.2 255.255.255.252
    ip access-group TELNET in
    !
    interface Serial1/1
    no ip address
    shutdown
    !
    interface Serial1/2
    no ip address
    shutdown
    !
    interface Serial1/3
    no ip address
    shutdown
    !
    router ospf 1
    log-adjacency-changes
    network 192.168.20.0 0.0.0.127 area 0
    network 192.168.20.128 0.0.0.127 area 0
    network 171.10.0.0 0.0.0.3 area 0
    !
    ip classless
    !
    !
    ip access-list extended TELNET
    remark this permits telnet access for managers pcs on both tech and cserv
    permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.1 eq telnet
    permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.129 eq telnet
    permit tcp 192.168.10.0 0.0.0.127 host 171.10.0.2 eq telnet
    permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129 eq telnet
    permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129
    deny tcp any any eq telnet
    permit ip any any
    !
    !
    !
    !
    !
    line con 0
    line vty 0 4
    password cisco
    login
    !
    !
    !
    end



    Show ACL command


    CservRouter#show access-lists
    Extended IP access list TELNET
    permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.1 eq telnet
    permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.129 eq telnet
    permit tcp 192.168.10.0 0.0.0.127 host 171.10.0.2 eq telnet
    permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129 eq telnet
    permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129
    deny tcp any any eq telnet
    permit ip any any




    Exact group command was


    CservRouter(config)#int fa 0/0
    CservRouter(config-if)#ip access-group TELNET in
    CservRouter(config-if)#int serial 1/0
    CservRouter(config-if)#ip access-group TELNET in


    **********

    Hope this helps.

    I originally only applied it to Fa interface i now applied it to serial alos. Do i need to apply to the sub interfaces??
  • NetworkVeteranNetworkVeteran Posts: 2,338Member
    DANMOH009 wrote: »
    I originally only applied it to Fa interface i now applied it to serial alos. Do i need to apply to the sub interfaces??
    Yes. (Extra characters since TechExams wants a 7-character reply.)
  • NetworkVeteranNetworkVeteran Posts: 2,338Member
    DANMOH009 wrote: »
    CservRouter#show access-lists
    Extended IP access list TELNET
    permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.1 eq telnet
    permit tcp 192.168.10.0 0.0.0.127 host 192.168.20.129 eq telnet
    permit tcp 192.168.10.0 0.0.0.127 host 171.10.0.2 eq telnet
    permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129 eq telnet
    permit tcp 192.168.20.0 0.0.0.127 host 192.168.20.129
    deny tcp any any eq telnet
    permit ip any any
    The above indicates your your access-list is not applied correctly. No matches.

    (Alternatively, nobody is using IP on your network!)
  • DANMOH009DANMOH009 Posts: 241Member
    I dont understand, they all have IP addresses assigned, is it basically just really really messed up.
  • NetworkVeteranNetworkVeteran Posts: 2,338Member
    DANMOH009 wrote: »
    I dont understand, they all have IP addresses assigned, is it basically just really really messed up.
    show run wrote:
    interface FastEthernet0/0
    no ip address
    ip access-group TELNET in
    duplex auto
    speed auto
    !
    interface FastEthernet0/0.1
    encapsulation dot1Q 10
    ip address 192.168.20.1 255.255.255.128
    !
    interface FastEthernet0/0.2
    encapsulation dot1Q 20
    ip address 192.168.20.129 255.255.255.128
    !

    Fa0/0 doesn't have an IP address assigned. It doesn't talk IP. Assigning an IP ACL isn't particularly effective on an interface that doesn't speak IP. Fa0/0.1 and Fa0/0.2 do have IP addresses. That's where you should be adding your ACL. If your ACL actually matches anything, that's typically seens in the output of "show access-list". I don't see any matches in your output.
  • DANMOH009DANMOH009 Posts: 241Member
    Whoop Whoop it works!


    Thanks a million!

    after assigning it to the sub- interfaces it worked.

    Now iv got one more question, i just really want to understand it all before i move on.

    In total in my network i have two routers both of which prevent telnet access.

    ROUTER 1 = ACL is assigned on a router on the vty lines
    and the
    ROUTER 2 = ACL is assigned to the Sub-Interfaces (the ones i was just having trouble with).

    Now my question is, whenever an unauthorized device trys to telnet to a Router 1 i get the message: % Connection refused by remote host



    However when an unauthorized device trys to Telnet to ROUTER 2 i get the message: % Connection timed out; remote host not responding


    So i know its petty but why the different messages?


    thanks in advance, last question i promise icon_smile.gif
  • NetworkVeteranNetworkVeteran Posts: 2,338Member
    DANMOH009 wrote: »
    So i know its petty but why the different messages?


    thanks in advance, last question i promise icon_smile.gif

    Enable these debug commands:

    debug ip icmp
    debug ip tcp transaction

    You will have your answers. Post the output to the thread and everyone can learn.
  • DANMOH009DANMOH009 Posts: 241Member
    awh nightmare!

    I am doing it on PT and it doesn't have the debug ip tcp transaction icon_sad.gif

    i did the debug ip icmp on the router, no results were displayed.


    Thanks
  • NetworkVeteranNetworkVeteran Posts: 2,338Member
    Ahh. GNS3 runs the full IOS and only takes a moment to setup a topology like this. Here we go--

    This is applying it with an access-class:

    R3#telnet 1.1.1.1
    Trying 1.1.1.1 ...
    % Connection refused by remote host
    R3#
    *Mar 2 15:15:07.378: TCP: Random local port generated 12347, network 1
    *Mar 2 15:15:07.382: TCB65105460 created
    *Mar 2 15:15:07.382: TCB65105460 setting property TCP_TOS (11) 660285B0
    *Mar 2 15:15:07.382: TCB65105460 bound to UNKNOWN.12347
    *Mar 2 15:15:07.386: TCB65105460 setting property unknown (23) 66028510
    *Mar 2 15:15:07.386: Reserved port 12347 in Transport Port Agent for TCP IP type 1
    *Mar 2 15:15:07.386: TCP: sending SYN, seq 4229261782, ack 0
    *Mar 2 15:15:07.390: TCP0: Connection to 1.1.1.1:23, advertising MSS 536
    *Mar 2 15:15:07.390: TCP0: state was CLOSED -> SYNSENT [12347 -> 1.1.1.1(23)]
    R3#
    *Mar 2 15:15:07.422: Released port 12347 in Transport Port Agent for TCP IP type 1 delay 240000
    *Mar 2 15:15:07.422: TCP0: state was SYNSENT -> CLOSED [12347 -> 1.1.1.1(23)]
    *Mar 2 15:15:07.426: TCP0: bad seg from 1.1.1.1 -- closing connection: port 12347 seq 0 ack 4229261783 rcvnxt 0 rcvwnd 0 len 0
    *Mar 2 15:15:07.426: TCP0: connection closed - remote sent RST
    *Mar 2 15:15:07.430: TCB 0x65105460 destroyed
    R3#

    This is applying it with an access-group--

    R3#telnet 1.1.1.1
    Trying 1.1.1.1 ...
    % Destination unreachable; gateway or host down
    R3#
    *Mar 2 15:15:37.670: TCP: Random local port generated 35241, network 1
    *Mar 2 15:15:37.674: TCB65105460 created
    *Mar 2 15:15:37.674: TCB65105460 setting property TCP_TOS (11) 660285B0
    *Mar 2 15:15:37.674: TCB65105460 bound to UNKNOWN.35241
    *Mar 2 15:15:37.674: TCB65105460 setting property unknown (23) 66028510
    *Mar 2 15:15:37.678: Reserved port 35241 in Transport Port Agent for TCP IP type 1
    *Mar 2 15:15:37.678: TCP: sending SYN, seq 3263398922, ack 0
    *Mar 2 15:15:37.678: TCP0: Connection to 1.1.1.1:23, advertising MSS 536
    *Mar 2 15:15:37.682: TCP0: state was CLOSED -> SYNSENT [35241 -> 1.1.1.1(23)]
    R3#
    *Mar 2 15:15:37.730: ICMP: dst (150.1.31.3) administratively prohibited unreachable rcv from 150.1.31.1
    *Mar 2 15:15:37.730: TCP0: ICMP destination unreachable received
    *Mar 2 15:15:37.734: Released port 35241 in Transport Port Agent for TCP IP type 1 delay 240000
    *Mar 2 15:15:37.734: TCP0: state was SYNSENT -> CLOSED [35241 -> 1.1.1.1(23)]
    *Mar 2 15:15:37.738: TCB 0x65105460 destroyed
    R3#
  • DANMOH009DANMOH009 Posts: 241Member
    Im still new to this, so its looking a bit confusing for me.


    It looks like one connection accepted and was denied at the last stage, and the other just couldnt locate the network at all am i right? what key lines am i supposed to be looking at here?
Sign In or Register to comment.