Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco access-list question

Reply
Thread Tools

Cisco access-list question

 
 
Bob
Guest
Posts: n/a
 
      10-19-2006
Hi,

I'm having trouble configuring access lists. I'm trying to restrict
access to a machine to only port 21015.

Here are my access-list lines:

access-list lock_down permit icmp 10.10.10.0 255.255.255.0 host
172.16.1.100
access-list lock_down permit tcp 10.10.10.0 255.255.255.0 host
172.16.1.100 rq 21015
access-group lock_down in interface inside

Am I right in thinking that this should limit access on the inside
interface to port 21015 for the host 172.16.1.100? If I telnet to
another port, for example, 24079, and run a capture on the inside
interface, I see the line "172.16.1.100.24079 > 10.10.10.138.1269".
Does this indicate that a packet has been returned from 172.16.1.100?
If so, how is this possible with the access-list in place?

If a packet is denied access because of an access-list is there
anything specific in the capture or elsewhere that would tell me?

Any help would be much appreciated,

Thanks,

Bob

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      10-19-2006
In article <(E-Mail Removed). com>,
Bob <(E-Mail Removed)> wrote:

>I'm having trouble configuring access lists. I'm trying to restrict
>access to a machine to only port 21015.


>Here are my access-list lines:


>access-list lock_down permit icmp 10.10.10.0 255.255.255.0 host 172.16.1.100
>access-list lock_down permit tcp 10.10.10.0 255.255.255.0 host 172.16.1.100 rq 21015
>access-group lock_down in interface inside


I'm going to presume that 'rq' is a typo for 'eq'.


>Am I right in thinking that this should limit access on the inside
>interface to port 21015 for the host 172.16.1.100?


Not always, no.

>If I telnet to
>another port, for example, 24079, and run a capture on the inside
>interface, I see the line "172.16.1.100.24079 > 10.10.10.138.1269".
>Does this indicate that a packet has been returned from 172.16.1.100?
>If so, how is this possible with the access-list in place?


What you omitted in your description is that you are using a PIX,
not an IOS router. Our clue to that is that you used 255.255.255.0
as your mask: IOS would use 0.0.0.255 to express the same mask.

PIX uses an Adaptive Security Algorithm. When a connection is
permitted in one direction, then the PIX automatically injects
permission for the return traffic into the beginning of the access
list for the other direction.

You permitted telnet from outside to 24079 and started that connection
from outside, and the PIX read off the source IP and source port
and automatically added a temporary entry permitting the appropriate
inside host to return packets to that IP and port.

>If a packet is denied access because of an access-list is there
>anything specific in the capture or elsewhere that would tell me?


Not in the capture. Look at the log messages. Denial via an ACL is
a level 4 event, so it will appear in the logs if you are set to log
level 4 or higher (and have the logs turned on.) To see more of the
gory details, turn up the logging to level 6: that would show up
the translations being made and the connections being made.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco!! Cisco!! Cisco!! The Doctor Cisco 0 01-31-2010 01:24 PM
Business VoIP Solutions Using Cisco Gateways, Cisco Call Agent, And Cisco IP Phones FreedomFireCom VOIP 0 10-03-2007 12:06 AM
Discussion about segregating bandwidth with Cisco 7513, Cisco 3750 and Cisco 3640 iskandar@measat.com Cisco 1 06-18-2006 06:30 PM
Cisco 1750 Router Cisco QoS Device Manager Cisco VPN Device Manager Rene Kuhn Cisco 0 12-28-2005 08:45 PM



Advertisments