Eugene,
When you initiate the telnet connection from R1 are you initiating it from an interface within the 10.0.0.0 subnet to match your access-list 1? *Matt Manire* *CCSP, CCNP, CCDP, MCSE* *2003 & MCSE 2000* *Information Systems Security Manager* [email protected] *t*: 817.525.1863 *f*: 817.525.1903 *m*: 817.271.9165 *First Rate* | 1903 Ascension Boulevard | Arlington, TX 76006| www.FirstRate.com <http://www.firstrate.com/> *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Eugene Pefti *Sent:* Wednesday, May 30, 2012 5:30 PM *To:* [email protected] *Subject:* [OSL | CCIE_Security] Help with PAM and ZFW Guys, I need a fresh eye on the problem (if it is a problem) I ran into. Testing ZFW with non-standard ports, i.e. Telnet 3020 running on the router. Host ---(10.0.0.0/24)----- R3 -------- R2 Rotary 20 is configured on VTY lines of R2 R1 has the following ZFW and PAM settings: R3#sh ip port-map telnet Default mapping: telnet tcp port 23 system defined Host specific: telnet tcp port 3020 in list 1 user defined access-list 1 permit 10.0.0.0 0.0.0.255 log //log is added to see matches class-map type inspect match-all TELNET-CM match protocol telnet policy-map type inspect A->C-PM class type inspect ICMP-CM pass log class type inspect TELNET-CM Inspect Respective interfaces are assigned to zones and zone-pairs are created. I don't show it for brevity as it does't relate to the problem. When I try to telnet to R2 over port 3020 from the Host I fail, i.e. ZFW doesn't match it and drops it by class-default. But when I change the access-list 1 to have to be: Access-list 1 permit any The situation changes and I can telnet to port 3020. Why is that ? Is the standard ACL not supposed to be working on the source address ? The IP address of the Host is 10.0.0.100. Eugene
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
