Solved

Access Rules

Posted on 2012-03-13
9
402 Views
Last Modified: 2012-04-24
Hi

src and destination network are reachable to each other but not able to access on port 445.

Issue with "bidirectional ACls". Not quite sure, if i understand it.


src-nwk - 172.20.60.x/24, edge rtr - rtrA

destn-nwk - 10.210.1.0/24, edge rtr - rtrB.

Need is to have bidirectional ACLs between the two networks on port 445.

Can you plz assist how these ACLs can be wrriten and applied where and in "which" direction
0
Comment
Question by:genseek
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 37718444
Try something like below;

RtrA
 access-list 101 permit tcp 10.210.1.0 255.255.255.0 172.20.60.0 255.255.255.0 eq 445

RtrB
 access-list 101 permit tcp 172.20.60.0 255.255.255.0 10.210.1.0 255.255.255.0 eq 445
0
 
LVL 10

Expert Comment

by:ujitnos
ID: 37718530
If you have configured the rules and still if you are not bale to access the port, do a telnet.

Form the source PC, from CMD prompt;

telnet <destination ip> 445

If you get a blank screen then the port is open. Now you may need to share a folder/drive to access it.

On the destination PC, from CMD prompt;

telnet 127.0.0.1 445

If you get a blank screen that means that the system is listening on port 445.
0
 

Author Comment

by:genseek
ID: 37718585
Thanks for the prompt response.

But telnet to port 445 from src t- destn is what exactly not working.

But telnet is working on port 445 from destn to src.
0
 
LVL 17

Expert Comment

by:lruiz52
ID: 37718622
If possible, post sanitized configs for both .
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 10

Expert Comment

by:mat1458
ID: 37719401
RtrA
access-list 101 permit tcp 10.210.1.0 255.255.255.0 172.20.60.0 255.255.255.0 eq 445
access-list 101 permit tcp 10.210.1.0 255.255.255.0  eq 445 172.20.60.0 255.255.255.0

RtrB
access-list 101 permit tcp 172.20.60.0 255.255.255.0 10.210.1.0 255.255.255.0 eq 445   access-list 101 permit tcp 172.20.60.0 255.255.255.0  eq 445 10.210.1.0 255.255.255.0

If this does not work please provide your current configs.
0
 

Author Comment

by:genseek
ID: 37728016
What are the 2nd acls for in A and B..routers.

access-list 101 permit tcp 10.210.1.0 255.255.255.0  eq 445 172.20.60.0 255.255.255.0


access-list 101 permit tcp 172.20.60.0 255.255.255.0  eq 445 10.210.1.0 255.255.255.0
0
 
LVL 10

Expert Comment

by:mat1458
ID: 37728264
Access lists do exactly what you tell them to do. Extended IP access lists look on source- and destination addresses as well as on source- and destination ports. As you want to have the possibility to initiate the sessions from both sides the source-/destination ports can vary. My additional statements check situations where the source port is 445 on both sides.
0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 500 total points
ID: 37828343
Hi,

I will give you brief description of telnetting behind firewall and from outside to inside and inside to outside and inside to DMZ and DMZ to inside and DMZ to outside and outside to DMZ.Here is the configuration for telnetting as below :

R1------outside Router
R2-------Inside Router
R3-------DMZ Router.

Now to telnet from Inside to outside network the configuration should be as below on R1 and R2 and ASA.

R1 Configuration (outside Router)

R1#conf -t
R1(Config-t)#line vty 0 4
R1(Config-t)#privilege level 15
R1(Config-t)#password xyz
R1(Config-t)#exit
R1#enable password xyz

R2 Configuration (Inside Router)

R2#conf -t
R2(Config-t)#line vty 0 4
R2(Config-t)#privilege level 15
R2(Config-t)#password xyz
R2(Config-t)#exit
R2#enable password xyz

R3 (DMZ Router)

R3#conf -t
R3(Config-t)#line vty 0 4
R3(Config-t)#privilege level 15
R3(Config-t)#password xyz
R3(Config-t)#exit
R3#enable password xyz

ASA Configuration for telnet from inside to outside and viceversa and DMZ to inside and vice versa.

ASA(Config-t )#access-list 101 permit tcp any any eq telnet
ASA(Config -t)#access-group 101 in interface outside  (for telnetting from inside to outside and outside to inside interface)

ASA(Config-t)#access-list 101 tcp any any eq telnet
ASA(Config-t)#access-group 101 in interface dmz (to telnet from inside to dmz and dmz to inside Network).

Once you configure the above configuration you can able to telnet from outside to inside network.
0
 

Author Closing Comment

by:genseek
ID: 37890374
issue resolved.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now