Weird ACLs :/

altdrugz

Hello, straight to the topic that I need some explanations :

R1 --- R2 ---- hostA

hostA ip 192.168.1.2
R1s serial 192.168.1.17
I used VLSM so dont care about the subnets or whatsover

Extended IP access list RESTRICT_TELNET
10 deny tcp host 192.168.1.2 host 192.168.1.17 eq telnet
20 permit ip any any (2 matches)


For testing purposes I did the following:

Applied this access list under vty 0 4 of R1. I was able then to telnet from HostA -> R1. Then I applied the same access-list for the inbound connections of the R1's serial interface and still I was able to telnet inside. Also I can check that everything passes through the access-list cause I see the counter increasing of the permit ip any any. Why?! This looks a bit tricky, because if I apply this to R2's interfaces I wont be able to telnet to R1.

Then I changed the destination host to "any" and then I wasnt able to telnet inside.

Could somebody give me some light why this is happening?

FloOz

Well generally you want to apply extended access list as close to the source as possible. That is why it works when you apply it to R2's interface.
What happens when you apply the access list to the serial interface of R1? Does it work then?

MrXpert

I think I know what the problem is but can you post the configs up just to be sure please

altdrugz

I know that rule that extended->close to source standard->close to destination but im just testing things here. As I said ofcourse if its applied in R2's interfaces this works. The tricky part (as I already said :P) is that when its applied under vty lines or R1's serial I am able to telnet and I can see the counters increasing in the permit ip any any statement.

fiftyo

Are you nat:ing?

altdrugz

Nop. No NAT (It was the first thing I checked in R2!!). I can clearly see from wireshark that the packets are coming into the serial port with the related ACL's deny statement infos

interface Serial1/0 ip address 192.168.1.17 255.255.255.252
ip access-group RESTRICT_TELNET in
serial restart-delay 0


ip access-list extended RESTRICT_TELNET
deny tcp host 192.168.1.2 any eq telnet
permit ip any any

I have also test the following thing ->

ip access-list extended SSHACCESS
deny tcp 192.168.1.0 0.0.0.7 host 192.168.1.17 eq 22
deny tcp host 192.168.1.2 host 192.168.1.17 eq telnet
permit ip any any

Giving exactly the same results (Im able to telnet and SSH now :P) when applied into vty / serial int. The only way to fix it is replacing the "host 192.168.1.17" to "any" but I dont understand why... WHYYYY?! :P

fiftyo

After digging a little deeper into this, apparently specific destination adresses in the access-class in command does not work, see VTY access-class accepts extended and named access lists « ipSpace.net by @ioshints

altdrugz

Hmmm nice. So specifying a "host" doesnt work under access-class. But this isnt working even when I set it in my serial connection so.. this probably isnt working for applying into interfaces as well (when the "host" dst address is router's) I guess.

DCD

I can't tell if you use the access-class command from the information supplied.

JoshyJ

When I set up the exact same setup. It works and blocks Host A to telnet to R1, when applying the access-list to the Serial Interface.


If you are seeing the counters in the access-list for the permit any to any increasing then. I would really triple check that no kind of NAT is in play.

Any chance of seeing both routers full configuration?

altdrugz

I think that was because of my IOS version. Was 12.4 if i remember well. There isnt any NAT etc, just what i have already paste and the access-class command first under the vty lines and then under the serial inbound.