Re: access-list help

From: Tony Olzak (aolzak@xxxxxxxxxxxxxxxxxxx)
Date: Wed Oct 25 2000 - 22:05:11 GMT-3

• Next message: zhuoyun Wu: "How to remove my email address from Groupstudy ?"
• Previous message: Rasheim Myers: "RE: access-list help"
• Maybe in reply to: Tony Olzak: "access-list help"
• Next in thread: Jack Heney: "Re: access-list help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Right. I understand all this. I think the author just screwed up on the
objective.

Also, I'm assuming that when I'm in the lab an access-list objective that
states allow a certain kind of traffic means deny all other traffic (except
of course your routing updates). Otherwise, the access-list you gave would
definitely be the answer.

Tony

----- Original Message -----
From: "Rasheim Myers" <ramyers@cisco.com>
To: "Tony Olzak" <aolzak@buckeye-express.com>; "Jack Heney"
<jheneyccie@hotmail.com>; <ccielab@groupstudy.com>
Sent: Wednesday, October 25, 2000 8:41 PM
Subject: RE: access-list help

> I guess I missed the objective of the scenario. I think you stated that
FTP
> sessions should only be allowed if established by a host on the router's
> ethernet segment. If this is the scenario, then the access-list will
allow
> your established FTP connections through.
>
> Normally you wouldn't itemize which your "established" acl lines by port
eg.
> FTP. The logic is if you are allowing the traffic out in the first place,
> more than likely you want the return packets from the established
> connection.
>
> I apologize if I screwed you up.
>
> -----Original Message-----
> From: Tony Olzak [mailto:aolzak@buckeye-express.com]
> Sent: Wednesday, October 25, 2000 8:26 PM
> To: Jack Heney; ramyers@cisco.com; ccielab@groupstudy.com
> Subject: Re: access-list help
>
>
> Yea, that was a typo. I meant port 21.
>
> Anyway, yes your access-list will allow any established sessions to come
> back in, but it will allow ANY TCP sessions back instead of just FTP.
>
> In response to Jack, the source port will be 21 but the destination will
be
> 1024 if that's the port the host used when it initiated the session.
Caslow
> has a section on this in the access-list portion of his book.
>
>
> Tony
>
> ----- Original Message -----
> From: "Jack Heney" <jheneyccie@hotmail.com>
> To: <ramyers@cisco.com>; <aolzak@buckeye-express.com>;
> <ccielab@groupstudy.com>
> Sent: Wednesday, October 25, 2000 6:53 PM
> Subject: RE: access-list help
>
>
> > On a somewhat related note, I know FTP uses port 21 for control and port
> 20
> > for data. Let's say a host establishes an FTP connection from port 1024
> to
> > port 21 and request a file transfer. Is the resultant transfer sourced
> from
> > or destined for port 20? And if it is sourced from 20, is the
destination
> > the same port as the original request (i.e. 1024)?
> > Thanks,
> > jack
> >
> >
> > >From: "Rasheim Myers" <ramyers@cisco.com>
> > >Reply-To: "Rasheim Myers" <ramyers@cisco.com>
> > >To: "Tony Olzak" <aolzak@buckeye-express.com>, <ccielab@groupstudy.com>
> > >Subject: RE: access-list help
> > >Date: Wed, 25 Oct 2000 18:23:33 -0400
> > >
> > >Hi Tony,
> > >
> > >The following inbound access-list line should help solve that problem:
> > >access-list 100 permit tcp any <host ip range> established
> > >note:
> > >I don't think you need the "eq ftp" for this line
> > >
> > >This will allow the "server" that you have established a connection
with
> to
> > >return packets to your hosts. You used the telnet tcp port (23) in
your
> > >email. That is probably just a typo. Remember that FTP uses 2 ports
(21
> > >and 20).
> > >
> > >I hope this information helps out.
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
Of
> > >Tony Olzak
> > > Sent: Wednesday, October 25, 2000 6:03 PM
> > > To: ccielab@groupstudy.com
> > > Subject: access-list help
> > >
> > >
> > > This should be simple, and I'm probably making this way too
difficult,
> > >but
> > >how would you go about this access-list?
> > >
> > > This is an inbound access-list on a serial interface. The one line
I'm
> > >having trouble with is this:
> > >
> > > FTP sessions are only allowed if established by a host on the
router's
> > >ethernet segment.
> > >
> > > OK, that's great. Any host on the ethernet segment will send packets
> to
> > >port 23, but returning packets will be to whatever port above 1023 that
> the
> > >host chose to use. If I just say:
> > >
> > > access-list 100 permit tcp any <host ip range> establish eq ftp
> > >
> > > This would only allow packets IN that are destined for port 23 and
> have
> > >the ACK bit. This does me no good because the source host is not using
> port
> > >23 when trying to initiate an FTP session. If I say to any port greater
> > >than
> > >1023, then I'm allowing traffic that was not specified in the lab. Am I
> way
> > >off here? If so, how do I do this?
> > >
> > > Maybe the author of this practice lab didn't understand this
> procedure?
> > >
> > > Tony
> >
> >

• Next message: zhuoyun Wu: "How to remove my email address from Groupstudy ?"
• Previous message: Rasheim Myers: "RE: access-list help"
• Maybe in reply to: Tony Olzak: "access-list help"
• Next in thread: Jack Heney: "Re: access-list help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:30 GMT-3