Now to be clear there's a lot of options with access lists in the IOS. The particular issue that struck me was that when using the TCP option there is an additional field that isn't used much, or even seen that much in the learning material, and I came upon it via the CCIE R&S Book of Wendell Odom.
The question went something along the lines of identify the valid access list to allow only the traffic from a Telnet server. It was phrased as a question of access-group allocation and direction but was asking to identify traffic that had a source of TCP port 23 but could be directed back to the initiator on any TCP port.
The solution was to use the TCP port specification as the SOURCE not the DESTINATION. Easy when you are used to seeing this but I feel it's a good thing to put up a quick post about. Cisco has multiple links to it's use:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#extacls
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtaclflg.html#wp1051199
And so on...
The point here is better explained with an example that doesn't follow the much-used
access-list 101 permit tcp any 10.0.0.0 0.0.0.255 eq 23
And to use this type
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq telnet 10.1.4.0 0.0.0.255 established
Here we get only traffic that is coming from a source port of 23 (telnet) so it represents any returning traffic from a telnetable host (telnet server).
No comments:
Post a Comment