Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Does ACL check packets originated from the router itself?

Status
Not open for further replies.
hadel

hadel

Technical User
Aug 17, 2003
26
AE
My Question as in the title;
Does ACL check packets originated from the router itself or only traffic passing through the router.

Cisco uses the term routed packets in describing the packets challenged by an access list. Does it mean only packets that pass by the router to be routed??

Meaning, if a I have an outgoing access list applied on one interface that prevents telnet. If I telnet from this router itself on some other router on the other end of this interface. Will it be permitted or denied?

Thanks guys
 
Sort by date Sort by votes
The answer is yes. The router will allow itself to telnet the next hop, but a client on another segment coming inbound to that router, will be stopped.



Example,
Workstation - (you)
|
|
eth0
|
|
2501-----ser0-----2511---eth0-----INTERNET

2501 CONFIG
===========
ip access-list ext 101
deny tcp any any eq 23
permit ip any any

interface serial 0
ip access-group 101 out

In the example above,
You are seated at the workstation on the Ethernet segment workstation. If you are connected (console(tty) or vty) to the 2501 and telnet the 2511, you will succeed. If you telnet the 2511 from the command prompt on the workstation you will fail.

You are correct in your definition of "Routed Traffic."

A packet originating from the router is just that. A packet that was received on an incoming interface is considered routed and will be challenged.


 
Upvote 0 Downvote
Thanks Syty for this bulls eye answer. I have another question for you. Is there a way to do it other than preventing telnet on the inbound of the remote router.

Thanks again man
Hazem
 
Upvote 0 Downvote
Well for one, if you are truly trying to prevent vty from the remote router, console the remote router and issue these commands

conf t
line vty 0 4 (could be more than 5 lines, then 0 8, etc..)
no pass
login

This will disable the vty capability on the router. Then you would have to have physical access to it to configure it. No password and forcing a login will give an error of no password set and terminate the session


If you really wanna keep them out and have a laugh, put NAT on the remote router and then redirect all inbound port 23 traffic destined for the connected interface to a webserver on port 80, with a webpage that states Some people get away with anything, now you know you aren't one of them.....

Then put another redirection for some random high port like 3333 and redirect it to another interface port 23 on itself. They would have to use a port scanner on the router to find it. but when you need it, telnet ip address:3333 ....[2thumbsup]

 
Upvote 0 Downvote
You are the man to ask ........ Thanks a million
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

woza
  • Locked
  • Question
GNS3: Delete the lines "transport preferred none"
Replies
1
Views
190
DrB0b
DrB0b
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
153
BIS
BIS
DTGMI
  • Locked
  • Question
Moving from Juniper SRX-240 to Cisco ??
Replies
0
Views
115
DTGMI
DTGMI
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
97
burtsbees
burtsbees
Tariq Habaybeh
  • Locked
  • Question
Cisco 881WD-E-K9 router configuration
Replies
1
Views
97
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top