From: Biondino, Joseph (joseph.biondino@au.unisys.com)
Date: Tue Jun 17 2003 - 01:07:45 GMT-3
You can use the line similar to "Access list 101 permit tcp host x.x.x.x eq
21 any" to allow the traffic through that is a response to an TCP sessions
request.
Kind regards,
Joseph Biondino
Network Specialist
UNISYS
Network Command Centre
115 - 117 Wicks Rd
North Ryde NSW 2113
Phone: 02 9857 3149
Group: 02 9390 1107
Fax: 02 9857 3122
-----Original Message-----
From: Jason Cash [mailto:cash2001@swbell.net]
Sent: Tuesday, 17 June 2003 1:46 PM
To: Brian Dennis; ccielab@groupstudy.com
Subject: RE: Extended ACL clarification.
Well what about when you ftp? I have seen several solutions as:
Access list 101 permit tcp host x.x.x.x eq 21 any
Access list 101 permit tcp host x.x.x.x any eq 21
Access list 101 permit tcp host x.x.x.x eq 80 any
Access list 101 permit tcp host x.x.x.x any eq 80
And several others that escape me now. But I am sure that you have seen
ACLs that permit the same TCP src and dest. Port. What is the reason for
that?
-----Original Message-----
From: Brian Dennis [mailto:brian@labforge.com]
Sent: Monday, June 16, 2003 10:29 PM
To: 'Jason Cash'; ccielab@groupstudy.com
Telnet will not originate from port 23. Think about it like this. If you
are using TCP port 23 as a source port for Telnet on R1, what will
happen when someone tries to telnet to R1?
I would highly recommend reading one of the following books.
Internetworking with TCP/IP Vol.1: Principles, Protocols, and
Architecture (4th Edition) by Douglas Comer
The Protocols (TCP/IP Illustrated, Volume 1) by W. Richard Stevens
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jason Cash
Sent: Monday, June 16, 2003 8:08 PM
To: ccielab@groupstudy.com
Subject: Extended ACL clarification.
A certain instructs:
Config R2 such that all telnet traffic sourced from the lo0 of R1 and
destined for the 172.29.80.0 subnet, will go thru R5.
R1 - Lo0 192.168.1.1/32
R2 - S0 172.29.100.2
R5 - S0 172.29.100.5
R1(e1)-----(e0)R2(s0)-----(s0)R5
My question is, is the following incorrect and does it accomplish the
same
thing as the solution:
interface Ethernet0
description to R1 E0 (crossover)
ip address 172.29.12.2 255.255.255.192
ip policy route-map local23
!
route-map local23 permit 10
match ip address 100
set ip next-hop 172.29.100.5
!
access-list 100 permit tcp host 192.168.1.1 eq telnet 172.29.80.0
0.0.0.31
The solution provided was:
access-list 100 permit tcp host 192.168.1.1 172.29.80.0 0.0.0.31 eq
telnet
I guess I want to know the difference between the two. Would My
solution
provide the same result. I interpret mine to mean:
allow traffic from host 192.168.1.1 (tcp src. port 23) to goto subnet
172.29.80.0/27
I interpret the solution as:
allow traffic from host 192.168.1.1 to goto subnet 172.29.80.0/27 (tcp
dest.
port 23)
What ais the difference? Does telnet not originate from port 23 on
occasion? Is this where the problem would come into play. I get
confused
on src/dest. ports so any links to clear the confusion would be
appreciated.
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:59 GMT-3