In article <. com>,
Bob <> wrote:
>I'm having trouble configuring access lists. I'm trying to restrict
>access to a machine to only port 21015.
>Here are my access-list lines:
>access-list lock_down permit icmp 10.10.10.0 255.255.255.0 host 172.16.1.100
>access-list lock_down permit tcp 10.10.10.0 255.255.255.0 host 172.16.1.100 rq 21015
>access-group lock_down in interface inside
I'm going to presume that 'rq' is a typo for 'eq'.
>Am I right in thinking that this should limit access on the inside
>interface to port 21015 for the host 172.16.1.100?
Not always, no.
>If I telnet to
>another port, for example, 24079, and run a capture on the inside
>interface, I see the line "172.16.1.100.24079 > 10.10.10.138.1269".
>Does this indicate that a packet has been returned from 172.16.1.100?
>If so, how is this possible with the access-list in place?
What you omitted in your description is that you are using a PIX,
not an IOS router. Our clue to that is that you used 255.255.255.0
as your mask: IOS would use 0.0.0.255 to express the same mask.
PIX uses an Adaptive Security Algorithm. When a connection is
permitted in one direction, then the PIX automatically injects
permission for the return traffic into the beginning of the access
list for the other direction.
You permitted telnet from outside to 24079 and started that connection
from outside, and the PIX read off the source IP and source port
and automatically added a temporary entry permitting the appropriate
inside host to return packets to that IP and port.
>If a packet is denied access because of an access-list is there
>anything specific in the capture or elsewhere that would tell me?
Not in the capture. Look at the log messages. Denial via an ACL is
a level 4 event, so it will appear in the logs if you are set to log
level 4 or higher (and have the logs turned on.) To see more of the
gory details, turn up the logging to level 6: that would show up
the translations being made and the connections being made.
|
Similar Threads
