RE: Access-list question

From: Shane Miles (smiles@xxxxxxxxxx)
Date: Wed May 09 2001 - 10:52:10 GMT-3

• Next message: Mohamed Heeba: "BGP maximum paths"
• Previous message: Ladipo Adefala: "Re: cisco router supports SVC frame relay switching?"
• Maybe in reply to: Johnny Dedon: "Access-list question"
• Next in thread: Mas Kato: "RE: Access-list question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
        To cover yourself for passive mode wouldn't you need to add a second
line?

access-list 102 permit tcp host 10.10.10.1 gt 1023 199.200.1.0 0.0.0.255 eq
ftp
access-list 102 permit tcp host 10.10.10.1 eq ftp-data 199.200.1.0 0.0.0.255
gt 1023

-----Original Message-----
From: Mas Kato [mailto:tealp729@home.com]
Sent: Tuesday, May 08, 2001 12:28 AM
To: adiment@uswest.com; ccielab@groupstudy.com
Subject: RE: Access-list question

Unfortunately, reflexive ACLs break non-passive FTP and it also sounds
like he may be limited to an inbound ACL only (reflexive would require
both in and out).

Johnny,

The keyword 'established' looks for the ACK or RST flags in the TCP
header, so I don't think it would be appropriate in this case. Aside
from that, the ACL looks fine for restricting the initiation of FTP to
that single host on that one interface.

Regards,

Mas

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
adiment@uswest.com
Sent: Monday, May 07, 2001 2:46 PM
To: ccielab@groupstudy.com
Subject: RE: Access-list question

This would be a good one to use a reflexive access list.

-----Original Message-----
From: Johnny Dedon [mailto:johnny.dedon@exodus.net]
Sent: Monday, May 07, 2001 4:24 PM
To: Groupstudy
Subject: Access-list question

If I am asked to only permit ftp sessions if established from a local
subnet
and I must use an inbound access-list on that local interface, what woud
it
look like?

something like this?
access-list 102 permit tcp host 10.10.10.1 gt 1023 199.200.1.0 0.0.0.255
eq
ftp established

Remember the question is inbound on the local interface not inbound on
the
internet side.

Johnny Dedon
Senior Staff Consultant
Exodus Professional Services
johnny.dedon@exodus.net
www.exodus.net
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Mohamed Heeba: "BGP maximum paths"
• Previous message: Ladipo Adefala: "Re: cisco router supports SVC frame relay switching?"
• Maybe in reply to: Johnny Dedon: "Access-list question"
• Next in thread: Mas Kato: "RE: Access-list question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:37 GMT-3