Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Access Rules

Posted on 2012-03-13
9
Medium Priority
?
412 Views
Last Modified: 2012-04-24
Hi

src and destination network are reachable to each other but not able to access on port 445.

Issue with "bidirectional ACls". Not quite sure, if i understand it.


src-nwk - 172.20.60.x/24, edge rtr - rtrA

destn-nwk - 10.210.1.0/24, edge rtr - rtrB.

Need is to have bidirectional ACLs between the two networks on port 445.

Can you plz assist how these ACLs can be wrriten and applied where and in "which" direction
0
Comment
Question by:genseek
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 37718444
Try something like below;

RtrA
 access-list 101 permit tcp 10.210.1.0 255.255.255.0 172.20.60.0 255.255.255.0 eq 445

RtrB
 access-list 101 permit tcp 172.20.60.0 255.255.255.0 10.210.1.0 255.255.255.0 eq 445
0
 
LVL 10

Expert Comment

by:ujitnos
ID: 37718530
If you have configured the rules and still if you are not bale to access the port, do a telnet.

Form the source PC, from CMD prompt;

telnet <destination ip> 445

If you get a blank screen then the port is open. Now you may need to share a folder/drive to access it.

On the destination PC, from CMD prompt;

telnet 127.0.0.1 445

If you get a blank screen that means that the system is listening on port 445.
0
 

Author Comment

by:genseek
ID: 37718585
Thanks for the prompt response.

But telnet to port 445 from src t- destn is what exactly not working.

But telnet is working on port 445 from destn to src.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
LVL 17

Expert Comment

by:lruiz52
ID: 37718622
If possible, post sanitized configs for both .
0
 
LVL 10

Expert Comment

by:mat1458
ID: 37719401
RtrA
access-list 101 permit tcp 10.210.1.0 255.255.255.0 172.20.60.0 255.255.255.0 eq 445
access-list 101 permit tcp 10.210.1.0 255.255.255.0  eq 445 172.20.60.0 255.255.255.0

RtrB
access-list 101 permit tcp 172.20.60.0 255.255.255.0 10.210.1.0 255.255.255.0 eq 445   access-list 101 permit tcp 172.20.60.0 255.255.255.0  eq 445 10.210.1.0 255.255.255.0

If this does not work please provide your current configs.
0
 

Author Comment

by:genseek
ID: 37728016
What are the 2nd acls for in A and B..routers.

access-list 101 permit tcp 10.210.1.0 255.255.255.0  eq 445 172.20.60.0 255.255.255.0


access-list 101 permit tcp 172.20.60.0 255.255.255.0  eq 445 10.210.1.0 255.255.255.0
0
 
LVL 10

Expert Comment

by:mat1458
ID: 37728264
Access lists do exactly what you tell them to do. Extended IP access lists look on source- and destination addresses as well as on source- and destination ports. As you want to have the possibility to initiate the sessions from both sides the source-/destination ports can vary. My additional statements check situations where the source port is 445 on both sides.
0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 1500 total points
ID: 37828343
Hi,

I will give you brief description of telnetting behind firewall and from outside to inside and inside to outside and inside to DMZ and DMZ to inside and DMZ to outside and outside to DMZ.Here is the configuration for telnetting as below :

R1------outside Router
R2-------Inside Router
R3-------DMZ Router.

Now to telnet from Inside to outside network the configuration should be as below on R1 and R2 and ASA.

R1 Configuration (outside Router)

R1#conf -t
R1(Config-t)#line vty 0 4
R1(Config-t)#privilege level 15
R1(Config-t)#password xyz
R1(Config-t)#exit
R1#enable password xyz

R2 Configuration (Inside Router)

R2#conf -t
R2(Config-t)#line vty 0 4
R2(Config-t)#privilege level 15
R2(Config-t)#password xyz
R2(Config-t)#exit
R2#enable password xyz

R3 (DMZ Router)

R3#conf -t
R3(Config-t)#line vty 0 4
R3(Config-t)#privilege level 15
R3(Config-t)#password xyz
R3(Config-t)#exit
R3#enable password xyz

ASA Configuration for telnet from inside to outside and viceversa and DMZ to inside and vice versa.

ASA(Config-t )#access-list 101 permit tcp any any eq telnet
ASA(Config -t)#access-group 101 in interface outside  (for telnetting from inside to outside and outside to inside interface)

ASA(Config-t)#access-list 101 tcp any any eq telnet
ASA(Config-t)#access-group 101 in interface dmz (to telnet from inside to dmz and dmz to inside Network).

Once you configure the above configuration you can able to telnet from outside to inside network.
0
 

Author Closing Comment

by:genseek
ID: 37890374
issue resolved.
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
How does someone stay on the right and legal side of the hacking world?
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question