From: ShahzaD Ali (shahzad-ali@xxxxxxxx)
Date: Thu May 10 2001 - 11:26:37 GMT-3
Dave,
I tried permitting 2065 and 2067 but no luck. Here is the log
%SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.2.2(2065) ->
140.1.4.4(11001), 1
packet
%SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.134.3(179) ->
140.1.134.4(11002),
1 packet
%SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.2.2(2065) ->
140.1.4.4(11004), 1
packet
%SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.2.2(2065) ->
140.1.4.4(11005), 1
packet
%SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.2.2(2065) ->
140.1.4.4(11006), 1
packet
r4#
%SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.2.2(2065) ->
140.1.4.4(11007), 1
I think, I need to permit all the ports gt 11000
Any Suggestion Folks ???
Regards,
ShahzaD
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
HENDERSON_DAVE_G@Lilly.com
Sent: Thursday, May 10, 2001 8:26 AM
To: Tariq Sharif
Cc: Ccielab@Groupstudy. Com; nobody@groupstudy.com; ShahzaD Ali
Subject: RE: DLSw+ & ACL
Try also permitting port 2067. I beleive 2067 is the read port.
Tariq Sharif <tariq_sharif@btinternet.com>
Sent by: nobody@groupstudy.com
05/10/01 08:03 AM
Please respond to Tariq Sharif
To: "Ccielab@Groupstudy. Com" <ccielab@groupstudy.com>, ShahzaD
Ali
<shahzad-ali@home.com>
cc:
Subject: RE: DLSw+ & ACL
This is strange. I'm now using physical interface addresses for DLSw+ &
permitting port 2065 but DLSw+ doesn't come up unless I remove the ACL:
Here
are the partial configs:
Many thanks & regards.
Tariq Sharif
hostname r3
!
dlsw local-peer peer-id 132.1.23.2
dlsw remote-peer 0 tcp 132.1.23.1
dlsw remote-peer 0 tcp 132.1.10.4
dlsw bridge-group 3
!
interface Ethernet0/0
ip address 132.1.50.3 255.255.255.0
no ip directed-broadcast
ipx network 50
bridge-group 3
!
interface Serial2/0
ip address 132.1.10.3 255.255.255.224
no ip directed-broadcast
encapsulation frame-relay
ip ospf network point-to-multipoint
no ip mroute-cache
logging event subif-link-status
logging event dlci-status-change
ipx network 134
frame-relay map ipx 134.0004.0004.0004 103 broadcast
frame-relay map ip 132.1.10.1 103 broadcast
frame-relay map ip 132.1.10.3 103 broadcast
frame-relay map ip 132.1.10.4 103 broadcast
frame-relay map ipx 134.0001.0001.0001 103 broadcast
no frame-relay inverse-arp
!
router ospf 1
router-id 3.3.3.3
area 3 virtual-link 2.2.2.2
timers spf 30 60
redistribute static metric 10 subnets
network 132.1.3.0 0.0.0.255 area 0
network 132.1.10.0 0.0.0.255 area 0
network 132.1.23.0 0.0.0.255 area 3
network 132.1.50.0 0.0.0.255 area 3
!
end
hostname r4
!
source-bridge ring-group 40
dlsw local-peer peer-id 132.1.10.4
dlsw remote-peer 0 tcp 132.1.23.2
!
interface Serial0/0
ip address 132.1.10.4 255.255.255.224
ip access-group 120 in
no ip directed-broadcast
encapsulation frame-relay
ip ospf network point-to-multipoint
no ip mroute-cache
logging event subif-link-status
logging event dlci-status-change
ipx network 134
no ipx split-horizon eigrp 1
frame-relay map ip 132.1.10.1 101 broadcast
frame-relay map ip 132.1.10.3 103 broadcast
frame-relay map ip 132.1.10.4 101 broadcast
frame-relay map ipx 134.0001.0001.0001 101 broadcast
frame-relay map ipx 134.0003.0003.0003 103 broadcast
no frame-relay inverse-arp
frame-relay broadcast-queue 80 240000 160
!
interface TokenRing0/0
ip address 132.1.40.4 255.255.255.224
ip access-group 110 in
no ip directed-broadcast
ipx network 40
ring-speed 16
source-bridge 2 1 40
source-bridge spanning
hold-queue 100 in
!
router ospf 1
router-id 4.4.4.4
network 132.1.4.0 0.0.0.255 area 0
network 132.1.10.0 0.0.0.255 area 0
network 132.1.40.0 0.0.0.255 area 4
network 222.0.0.0 0.255.255.255 area 0
!
access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
smtp
access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
pop2
access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
pop3
access-list 110 permit ospf any any
access-list 110 permit tcp any any eq bgp
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
access-list 110 permit udp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
tftp
access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
telnet
access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
www
access-list 120 permit ospf any any
access-list 120 permit tcp any any eq bgp
access-list 120 permit icmp any any echo
access-list 120 permit icmp any any echo-reply
access-list 120 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255
established
access-list 120 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
smtp
access-list 120 permit tcp any any eq 2065
end
-----Original Message-----
From: ShahzaD Ali [mailto:shahzad-ali@home.com]
Sent: 10 May 2001 13:47
To: Tariq Sharif
Subject: RE: DLSw+ & ACL
Use
access-list 101 deny ip any any
at the end of your access-list and the log will show you which
port is being block. I think you need to permit tcp 2065.
Regards,
ShahzaD
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Tariq Sharif
Sent: Thursday, May 10, 2001 6:46 AM
To: Ccielab@Groupstudy. Com
Subject: DLSw+ & ACL
I've IP & DSLw+ running between R4 & R3 (linked with Frame) . DLSw+ is
using
loopback interfaces to communicate. I've added an ACL on R4 frame
interface
inbound & now DLSw+ does not work! " Qs:
1) Are loopback treated differently than router's normal interfaces
(because
ACL on a router does not include apply to the router communications)
2) How can I allow DSLw+ through the ACL
Many thanks & regards.
Tariq Sharif
[GroupStudy.com removed an attachment of type application/ms-tnef which
had
a name of winmail.dat]
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:38 GMT-3