Solved

Access Rules

Posted on 2012-03-13
9
405 Views
Last Modified: 2012-04-24
Hi

src and destination network are reachable to each other but not able to access on port 445.

Issue with "bidirectional ACls". Not quite sure, if i understand it.


src-nwk - 172.20.60.x/24, edge rtr - rtrA

destn-nwk - 10.210.1.0/24, edge rtr - rtrB.

Need is to have bidirectional ACLs between the two networks on port 445.

Can you plz assist how these ACLs can be wrriten and applied where and in "which" direction
0
Comment
Question by:genseek
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 37718444
Try something like below;

RtrA
 access-list 101 permit tcp 10.210.1.0 255.255.255.0 172.20.60.0 255.255.255.0 eq 445

RtrB
 access-list 101 permit tcp 172.20.60.0 255.255.255.0 10.210.1.0 255.255.255.0 eq 445
0
 
LVL 10

Expert Comment

by:ujitnos
ID: 37718530
If you have configured the rules and still if you are not bale to access the port, do a telnet.

Form the source PC, from CMD prompt;

telnet <destination ip> 445

If you get a blank screen then the port is open. Now you may need to share a folder/drive to access it.

On the destination PC, from CMD prompt;

telnet 127.0.0.1 445

If you get a blank screen that means that the system is listening on port 445.
0
 

Author Comment

by:genseek
ID: 37718585
Thanks for the prompt response.

But telnet to port 445 from src t- destn is what exactly not working.

But telnet is working on port 445 from destn to src.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 17

Expert Comment

by:lruiz52
ID: 37718622
If possible, post sanitized configs for both .
0
 
LVL 10

Expert Comment

by:mat1458
ID: 37719401
RtrA
access-list 101 permit tcp 10.210.1.0 255.255.255.0 172.20.60.0 255.255.255.0 eq 445
access-list 101 permit tcp 10.210.1.0 255.255.255.0  eq 445 172.20.60.0 255.255.255.0

RtrB
access-list 101 permit tcp 172.20.60.0 255.255.255.0 10.210.1.0 255.255.255.0 eq 445   access-list 101 permit tcp 172.20.60.0 255.255.255.0  eq 445 10.210.1.0 255.255.255.0

If this does not work please provide your current configs.
0
 

Author Comment

by:genseek
ID: 37728016
What are the 2nd acls for in A and B..routers.

access-list 101 permit tcp 10.210.1.0 255.255.255.0  eq 445 172.20.60.0 255.255.255.0


access-list 101 permit tcp 172.20.60.0 255.255.255.0  eq 445 10.210.1.0 255.255.255.0
0
 
LVL 10

Expert Comment

by:mat1458
ID: 37728264
Access lists do exactly what you tell them to do. Extended IP access lists look on source- and destination addresses as well as on source- and destination ports. As you want to have the possibility to initiate the sessions from both sides the source-/destination ports can vary. My additional statements check situations where the source port is 445 on both sides.
0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 500 total points
ID: 37828343
Hi,

I will give you brief description of telnetting behind firewall and from outside to inside and inside to outside and inside to DMZ and DMZ to inside and DMZ to outside and outside to DMZ.Here is the configuration for telnetting as below :

R1------outside Router
R2-------Inside Router
R3-------DMZ Router.

Now to telnet from Inside to outside network the configuration should be as below on R1 and R2 and ASA.

R1 Configuration (outside Router)

R1#conf -t
R1(Config-t)#line vty 0 4
R1(Config-t)#privilege level 15
R1(Config-t)#password xyz
R1(Config-t)#exit
R1#enable password xyz

R2 Configuration (Inside Router)

R2#conf -t
R2(Config-t)#line vty 0 4
R2(Config-t)#privilege level 15
R2(Config-t)#password xyz
R2(Config-t)#exit
R2#enable password xyz

R3 (DMZ Router)

R3#conf -t
R3(Config-t)#line vty 0 4
R3(Config-t)#privilege level 15
R3(Config-t)#password xyz
R3(Config-t)#exit
R3#enable password xyz

ASA Configuration for telnet from inside to outside and viceversa and DMZ to inside and vice versa.

ASA(Config-t )#access-list 101 permit tcp any any eq telnet
ASA(Config -t)#access-group 101 in interface outside  (for telnetting from inside to outside and outside to inside interface)

ASA(Config-t)#access-list 101 tcp any any eq telnet
ASA(Config-t)#access-group 101 in interface dmz (to telnet from inside to dmz and dmz to inside Network).

Once you configure the above configuration you can able to telnet from outside to inside network.
0
 

Author Closing Comment

by:genseek
ID: 37890374
issue resolved.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question