Solved

Access Rules

Posted on 2012-03-13
9
409 Views
Last Modified: 2012-04-24
Hi

src and destination network are reachable to each other but not able to access on port 445.

Issue with "bidirectional ACls". Not quite sure, if i understand it.


src-nwk - 172.20.60.x/24, edge rtr - rtrA

destn-nwk - 10.210.1.0/24, edge rtr - rtrB.

Need is to have bidirectional ACLs between the two networks on port 445.

Can you plz assist how these ACLs can be wrriten and applied where and in "which" direction
0
Comment
Question by:genseek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 37718444
Try something like below;

RtrA
 access-list 101 permit tcp 10.210.1.0 255.255.255.0 172.20.60.0 255.255.255.0 eq 445

RtrB
 access-list 101 permit tcp 172.20.60.0 255.255.255.0 10.210.1.0 255.255.255.0 eq 445
0
 
LVL 10

Expert Comment

by:ujitnos
ID: 37718530
If you have configured the rules and still if you are not bale to access the port, do a telnet.

Form the source PC, from CMD prompt;

telnet <destination ip> 445

If you get a blank screen then the port is open. Now you may need to share a folder/drive to access it.

On the destination PC, from CMD prompt;

telnet 127.0.0.1 445

If you get a blank screen that means that the system is listening on port 445.
0
 

Author Comment

by:genseek
ID: 37718585
Thanks for the prompt response.

But telnet to port 445 from src t- destn is what exactly not working.

But telnet is working on port 445 from destn to src.
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 
LVL 17

Expert Comment

by:lruiz52
ID: 37718622
If possible, post sanitized configs for both .
0
 
LVL 10

Expert Comment

by:mat1458
ID: 37719401
RtrA
access-list 101 permit tcp 10.210.1.0 255.255.255.0 172.20.60.0 255.255.255.0 eq 445
access-list 101 permit tcp 10.210.1.0 255.255.255.0  eq 445 172.20.60.0 255.255.255.0

RtrB
access-list 101 permit tcp 172.20.60.0 255.255.255.0 10.210.1.0 255.255.255.0 eq 445   access-list 101 permit tcp 172.20.60.0 255.255.255.0  eq 445 10.210.1.0 255.255.255.0

If this does not work please provide your current configs.
0
 

Author Comment

by:genseek
ID: 37728016
What are the 2nd acls for in A and B..routers.

access-list 101 permit tcp 10.210.1.0 255.255.255.0  eq 445 172.20.60.0 255.255.255.0


access-list 101 permit tcp 172.20.60.0 255.255.255.0  eq 445 10.210.1.0 255.255.255.0
0
 
LVL 10

Expert Comment

by:mat1458
ID: 37728264
Access lists do exactly what you tell them to do. Extended IP access lists look on source- and destination addresses as well as on source- and destination ports. As you want to have the possibility to initiate the sessions from both sides the source-/destination ports can vary. My additional statements check situations where the source port is 445 on both sides.
0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 500 total points
ID: 37828343
Hi,

I will give you brief description of telnetting behind firewall and from outside to inside and inside to outside and inside to DMZ and DMZ to inside and DMZ to outside and outside to DMZ.Here is the configuration for telnetting as below :

R1------outside Router
R2-------Inside Router
R3-------DMZ Router.

Now to telnet from Inside to outside network the configuration should be as below on R1 and R2 and ASA.

R1 Configuration (outside Router)

R1#conf -t
R1(Config-t)#line vty 0 4
R1(Config-t)#privilege level 15
R1(Config-t)#password xyz
R1(Config-t)#exit
R1#enable password xyz

R2 Configuration (Inside Router)

R2#conf -t
R2(Config-t)#line vty 0 4
R2(Config-t)#privilege level 15
R2(Config-t)#password xyz
R2(Config-t)#exit
R2#enable password xyz

R3 (DMZ Router)

R3#conf -t
R3(Config-t)#line vty 0 4
R3(Config-t)#privilege level 15
R3(Config-t)#password xyz
R3(Config-t)#exit
R3#enable password xyz

ASA Configuration for telnet from inside to outside and viceversa and DMZ to inside and vice versa.

ASA(Config-t )#access-list 101 permit tcp any any eq telnet
ASA(Config -t)#access-group 101 in interface outside  (for telnetting from inside to outside and outside to inside interface)

ASA(Config-t)#access-list 101 tcp any any eq telnet
ASA(Config-t)#access-group 101 in interface dmz (to telnet from inside to dmz and dmz to inside Network).

Once you configure the above configuration you can able to telnet from outside to inside network.
0
 

Author Closing Comment

by:genseek
ID: 37890374
issue resolved.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question