From: OhioHondo (ohiohondo@columbus.rr.com)
Date: Sun Mar 02 2003 - 11:05:04 GMT-3
Fan
In the 2 below, one access list demands port 23 be on the source side, the
other on the destination side. Use the following to watch a Telnet session
(prior to applying your access list). It will show you how the TCP ports for
Telnet are used. (or any other TCP based traffic flow)
ip access-list 199 permit tcp any any
debug ip packet 199 detail
access-list 100 permit tcp any any eq telnet ---- > looks for port 23 on
dstination
access-list 100 permit tcp any eq telnet any --- > looks for port 23 on
source
When the Telnet session starts the destination TCP port will be port 23. The
following access-list entry says, allow IP packets that have a destination
of port 23 going out. Also allow returned packets if they are part of that
TCP session. The "established" keyword goes one step further and monitors
the initial "SYN" that is sent out in the initial TCP packet. It looks for
the "SYN ACK" response. If it receives the correct response it considers the
flow "established" and allows all packets in the session.
access-list 100 permit tcp any any telnet established
The following should also work for the same reasons because it uses TCP
access-list 100 permit tcp any any bgp established
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of Fan
Shan
Sent: Sunday, March 02, 2003 6:35 AM
To: ccielab@groupstudy.com
Subject: The difference between these access-lists
Can someone explain the detail about the differnce of these access-lists:
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any eq telnet any
access-list 100 permit tcp any any telnet established
And if BGP is permitted, does I need to configure both
access-list 100 permit tcp any any eq bgp
and
acccess-list 100 permit tcp any eq bgp any
or only one of them?
Thx
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:30 GMT-3