How2pass.com Forums
ACL QUESTION! QID:NA609 - Printable Version

+- How2pass.com Forums (https://www.how2pass.com/forum)
+-- Forum: CCNA (https://www.how2pass.com/forum/forum-4.html)
+--- Forum: Answer this question (https://www.how2pass.com/forum/forum-11.html)
+--- Thread: ACL QUESTION! QID:NA609 (/thread-450.html)



ACL QUESTION! QID:NA609 - cp_19 - 07-15-2010

Hey guys,
I was wondering if someone could help explaining the answer to QID:NA609???

I always thought that eq Telnet and eq 22 couldn't go mid ACL statement? Why is the answer SSH is possible but Telnet is not? Please help!

Thanks!  ;D


Re: ACL QUESTION! QID:NA609 - mvsnaniou - 08-02-2010

ssh is a secured shell, where telnet is not a secured
one.when you ssh to transfer data between a system, the data
will be send in the encrypted form, where the hacker cannot
encode or decode it. While you telnet,the data send between
the system is alphabetical format(ASCII), where every one
can understand. More over as per network security, telnet
and ftp are prohibited. Always, trust SSL based data transfer.


Re: ACL QUESTION! QID:NA609 - SPGervais - 02-02-2011

The condition statement can go after the source and/or destination in an extended ACL.

Imagine the path an SSH packet will take. It will start from a host in the 172.16.16.0/28 (Yes the "/20" in the image is wrong) with a somewhat random source port and 172.16.48.63 as the destination address and port 22 as the destination port. It will hit ACL 100 on the way into the router and be permitted through by the first line.

On the way back the original source IP and port will now be the destination IP and port and the original destination IP and port will be the source. The packet will then hit ACL 101 and be permitted by the first rule. Then it will finally reach the host.


Same thing again with the Telnet packet except this time at the ACL 100 it will be stopped by the implicit deny statement.
It won't match line one, the packet's port is 23, not 22.
It won't match line two because that line is looking for a SOURCE port of 23 (Telnet) but the source port will be somewhat random port.

Hope that clears it up.