Cisco access-list question

Discussion in 'Cisco' started by Bob, Oct 19, 2006.

  1. Bob

    Bob Guest

    Hi,

    I'm having trouble configuring access lists. I'm trying to restrict
    access to a machine to only port 21015.

    Here are my access-list lines:

    access-list lock_down permit icmp 10.10.10.0 255.255.255.0 host
    172.16.1.100
    access-list lock_down permit tcp 10.10.10.0 255.255.255.0 host
    172.16.1.100 rq 21015
    access-group lock_down in interface inside

    Am I right in thinking that this should limit access on the inside
    interface to port 21015 for the host 172.16.1.100? If I telnet to
    another port, for example, 24079, and run a capture on the inside
    interface, I see the line "172.16.1.100.24079 > 10.10.10.138.1269".
    Does this indicate that a packet has been returned from 172.16.1.100?
    If so, how is this possible with the access-list in place?

    If a packet is denied access because of an access-list is there
    anything specific in the capture or elsewhere that would tell me?

    Any help would be much appreciated,

    Thanks,

    Bob
    Bob, Oct 19, 2006
    #1
    1. Advertising

  2. In article <>,
    Bob <> wrote:

    >I'm having trouble configuring access lists. I'm trying to restrict
    >access to a machine to only port 21015.


    >Here are my access-list lines:


    >access-list lock_down permit icmp 10.10.10.0 255.255.255.0 host 172.16.1.100
    >access-list lock_down permit tcp 10.10.10.0 255.255.255.0 host 172.16.1.100 rq 21015
    >access-group lock_down in interface inside


    I'm going to presume that 'rq' is a typo for 'eq'.


    >Am I right in thinking that this should limit access on the inside
    >interface to port 21015 for the host 172.16.1.100?


    Not always, no.

    >If I telnet to
    >another port, for example, 24079, and run a capture on the inside
    >interface, I see the line "172.16.1.100.24079 > 10.10.10.138.1269".
    >Does this indicate that a packet has been returned from 172.16.1.100?
    >If so, how is this possible with the access-list in place?


    What you omitted in your description is that you are using a PIX,
    not an IOS router. Our clue to that is that you used 255.255.255.0
    as your mask: IOS would use 0.0.0.255 to express the same mask.

    PIX uses an Adaptive Security Algorithm. When a connection is
    permitted in one direction, then the PIX automatically injects
    permission for the return traffic into the beginning of the access
    list for the other direction.

    You permitted telnet from outside to 24079 and started that connection
    from outside, and the PIX read off the source IP and source port
    and automatically added a temporary entry permitting the appropriate
    inside host to return packets to that IP and port.

    >If a packet is denied access because of an access-list is there
    >anything specific in the capture or elsewhere that would tell me?


    Not in the capture. Look at the log messages. Denial via an ACL is
    a level 4 event, so it will appear in the logs if you are set to log
    level 4 or higher (and have the logs turned on.) To see more of the
    gory details, turn up the logging to level 6: that would show up
    the translations being made and the connections being made.
    Walter Roberson, Oct 19, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. J Bard
    Replies:
    2
    Views:
    4,000
    J Bard
    Jan 10, 2004
  2. PS2 gamer
    Replies:
    6
    Views:
    6,669
    Hansang Bae
    Jun 9, 2004
  3. Fogel
    Replies:
    0
    Views:
    2,219
    Fogel
    Mar 5, 2007
  4. paeengi8
    Replies:
    0
    Views:
    794
    paeengi8
    Jun 25, 2007
  5. Southern Kiwi
    Replies:
    6
    Views:
    2,109
    Southern Kiwi
    Mar 19, 2006
Loading...

Share This Page