| Author |
Yet another ACL question
|
|
|
| Hopefully a simple one:
Router A serial 0 is connected to the internet.
Router A Ethernet 0 is connected to subnet 200.0.0.0.
I am asked to stop the internet from telnetting to hosts on 200.0.0.0 and vice versa. The list is going to be applied inbound on Serial 0.
My question is which of the following two lists are correct?
access-list 101 deny tcp any 200.0.0.0 0.0.0.255 eq 23
or
access-list 101 deny tcp any eq 23 200.0.0.0 0.0.0.255
I know the first is right. If the second is wrong, why is it? | |
| USHazard 2004-06-25, 10:45 pm |
| the second is wrong because the parameters are in the wrong order. You have to observe correct syntax. | |
|
| In what way?
The first says "deny access to 200.0.0.0 if the target port is 23" and the second says "if the source port is 23 deny it passage to 200.0.0.0".
I'm not saying you're wrong, but I need to understand why they don't both do exactly the same thing. I'd also like a second opinion on whether the syntax is wrong or not, because I was sure that you could block source ports too. | |
|
|
|
| That site says that the syntax I have used in the second example (blocking source port) is right, but it doesn't answer my question as to whether they both do exactly the same thing or not. | |
| USHazard 2004-06-26, 10:28 am |
| Looks like you're right (it's valid), but it will not be on the CCNA. That's what this forum is remember.
Plus, they're not exactly the same because a client can specify any destination port they want. As long as there is a daemon running on that port on the destination, the connection can still be made. | |
|
| Thanks. Your second paragraph there is what I wanted to know all along 
Reassuring to know it won't be on the CCNA either. | |
| repentantvoter 2004-06-26, 10:35 am |
| quote:
Originally posted by syzz
That site says that the syntax I have used in the second example (blocking source port) is right, but it doesn't answer my question as to whether they both do exactly the same thing or not.
Both are correct syntactically, but they accomplish different things. To better understand it it's useful to take a look at the TCP header, which starts with two 16 bit numbers that are the source and destination port port respectively. Your first access list says "match if destination port is 23"; the source port may be any number. The seconds access list says "match if source port is 23"; the destination port may be any number.
HTH | |
| Tophat 2004-06-26, 12:35 pm |
| I think its been said a couple of times but I will try to sum it up for all.
http://csrc.nist.gov/publications/nistpubs/800-10/node20.html
the link shows the telnet process as it relates to the ports. the second ACL would not work because you will only ever be certain about the destination port which is 23 in this case. You will need to block all traffic destined for port 23 inbound on s0 and outbound on s0 (just to be on the safe side). | |
|
| Thanks Tophat and Repententvoter.
quote:
Originally posted by Tophat
You will need to block all traffic destined for port 23 inbound on s0 and outbound on s0 (just to be on the safe side).
That's another important point I'd like clearing up. In Wendell Odom's book, he says that applying it in one direction is sufficient because it blocks the flow of traffic.
Does anyone know for sure what view the CCNA takes on precisely what is required to stop someone getting in and someone getting out? | |
| repentantvoter 2004-06-26, 2:17 pm |
| quote:
Originally posted by syzz
I am asked to stop the internet from telnetting to hosts on 200.0.0.0 and vice versa. The list is going to be applied inbound on Serial 0.
Actually, to completely solve your problem, you need to put both access-list 101 on your router, and apply access-list 101 inbound on serial 0.
The first statement denies internet clients access to intranet servers; the clients' requests will come in with destination port 23, and that will trigger the first rule.
The second statement will prevent internet servers' responses to make it back to intranet clients. You will be able to initiate a telnet session from your intranet, the packets from client to server will go through, then the server's answer will come back with a source port 23, and that will trigger the second rule.
HTH | |
| Tophat 2004-06-26, 2:50 pm |
| repentantvoter is not correct. A telnet client will never send a packet with a source port number of 23. They are always above 1024. Therefor the second acl will never be correct.
I will need to test in a lab how to maniplulate a telnet session to enable some commands to make it though before the ack's are blocked. Since telnet is based on tcp you will not be able to have a very long one way session, but you may be able to send enough commands to do damage. With that in mind, you will most likely need to differantiate between real world and ccna, where in the ccna you can get away with just blocking it one way, while in the real world you will most likely block them both ways.
I also looked at the original quesiton and it said: I am asked to stop the internet from telnetting to hosts on 200.0.0.0 and vice versa. This kind of makes our discussion mute since you want to block the telnet traffic from e0 to the world as well. Therefore you will need to use the acl 101 on inbound and acl 102 on the outbound of s0.
access-list 101 deny tcp any 200.0.0.0 0.0.0.255 eq 23
access-list 102 deny tcp 200.0.0.0 0.0.0.255 any eq 23
note: putting the 102 on the outbound of s0 will allow the hosts to telnet to the router and other subnets on the router, just not the internet which is connected to s0... | |
| repentantvoter 2004-06-26, 3:05 pm |
| quote:
Originally posted by Tophat
repentantvoter is not correct. A telnet client will never send a packet with a source port number of 23. They are always above 1024. Therefor the second acl will never be correct.
repentantvoter voter is correct, sir, if you don't mind. The intranet telnet client will send packets with source port random_number, destination port 23. Those packets will go through, since the only only access list in discussion is applied inbound on serial 0. The internet telnet server will dutifully respond with packets with source port 23, destination port random_number. When these packets reach serial 0 they will be dropped because they match the second statement of access-list 101. This is how the vice versa part of the requirement is accomplished. | |
|
| The vice versa is the important bit and the part that confused me. Thanks repententvoter for clearing it up. It was important that it be accomplished with a single ACL with no more than 3 lines (the 'permit ip any any' being the third).
I think my initial confusion has arisen by conflating the denial of a specific port and the denial of one subnet to another and vice versa which I think is what can be accomplished with one line of an ACL:
so if, as in my example, I wanted to deny 200.0.0.0 all access to the internet and vice versa the following applied outbound on Serial0 would accomplish both because packet flow is stopped:
access-list 1 deny 200.0.0.0 0.0.0.255
Thanks all! | |
| repentantvoter 2004-06-26, 4:00 pm |
| That would do, I guess, but if I had to choose between applying an ACL inbound or outbound (at the border between intranet and internet), I would choose inbound. I just came up with an analogy... Say the intranet is your home, and the internet is the rest of the world. Serial 0 is your front door.
When you apply the ACL outbound, your front door will not let anybody get out, but people can get in, and then cannot get back out.
When you apply the ACL inbound, your front door will not let anybody get in, but people can get out, and then cannot get back in.
The same goes for the telnet. With ACL outbound you cannot start telnet from intranet (cannot get out), but can start telnet from the internet (get in), although it will break immediately because it cannot make the round trip (cannot get back out). With ACL inbound you cannot start telnet from internet (cannot get in), but you can start from intranet (can get out) and it will break on the way back (cannot get back in).
Did you like my analogy? | |
|
| I like it and agree with it, but with standard ACLs my option of outbound on Serial 0 is the only one since anything else would also block internet access for any other networks which may or may not exist on my intranet (out Serial 1 perhaps) and 200.0.0.0's access to those other intranet subnets. I do realise I'm only introducing that variable now though  | |
| repentantvoter 2004-06-26, 4:21 pm |
| That is true, and is better left for another discussion. | |
| Tophat 2004-06-26, 4:22 pm |
| i stand corrected, i misread my own link.. the telnet server will send packets from the server to the client with a source of 23. |
|
|
|