From: Stanislav Sinyagin (SSinyagin@xxxxxx)
Date: Sun Nov 28 1999 - 15:15:53 GMT-3
Brett Summerville <b_summerville@yahoo.com> wrote:
BS> For those of us who are not CCIE I pose the following
BS> question:
BS> I want to permit one host to establish a www
BS> connection with one of my router's and deny all others
BS> to this same router in a multiprotocol lab
BS> environment. Here are my router's configs:
BS> access-list 125 permit tcp host 132.1.35.5 eq www host
BS> 132.1.0.6 eq www
BS> access-list 125 deny tcp any eq www host 132.1.0.6
BS> eq www
BS> access-list 125 permit ip any any
In this list, you match the TCP packets with source and destination
ports both 80. Such packets are rarely to appear in real world.
Usually the packets destining to WWW host have the dest. port 80 and
the src port above 1024. so, the right access list should be
access-list 125 permit tcp host 132.1.35.5 eq www host 132.1.0.6 gt
1024
access-list 125 deny tcp host 132.1.35.5 eq www any
access-list 125 permit ip any any
Just curious -- did you ever have an experience in filtering
real-world traffic ?
Good luck,
Stan
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:21:55 GMT-3