From: Mas Kato (tealp729@xxxxxxxx)
Date: Tue May 08 2001 - 01:28:21 GMT-3
Unfortunately, reflexive ACLs break non-passive FTP and it also sounds
like he may be limited to an inbound ACL only (reflexive would require
both in and out).
Johnny,
The keyword 'established' looks for the ACK or RST flags in the TCP
header, so I don't think it would be appropriate in this case. Aside
from that, the ACL looks fine for restricting the initiation of FTP to
that single host on that one interface.
Regards,
Mas
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
adiment@uswest.com
Sent: Monday, May 07, 2001 2:46 PM
To: ccielab@groupstudy.com
Subject: RE: Access-list question
This would be a good one to use a reflexive access list.
-----Original Message-----
From: Johnny Dedon [mailto:johnny.dedon@exodus.net]
Sent: Monday, May 07, 2001 4:24 PM
To: Groupstudy
Subject: Access-list question
If I am asked to only permit ftp sessions if established from a local
subnet
and I must use an inbound access-list on that local interface, what woud
it
look like?
something like this?
access-list 102 permit tcp host 10.10.10.1 gt 1023 199.200.1.0 0.0.0.255
eq
ftp established
Remember the question is inbound on the local interface not inbound on
the
internet side.
Johnny Dedon
Senior Staff Consultant
Exodus Professional Services
johnny.dedon@exodus.net
www.exodus.net
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:36 GMT-3