RE: Application port reply ....

From: mohamed_n@sifycorp.com
Date: Wed Sep 29 2004 - 02:17:23 GMT-3

• Next message: Anand Singh: "ip nbar protocol-discovery command"
• Previous message: Erick Bergquist: "RE: EIGRP METRIC"
• Maybe in reply to: Sharma Sham Sunder (vMoksha): "Application port reply ...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sharma,
If your requirment is just to allow only telnet,ftp, to an from from 2 machines,then ideally i would try in this way.
Apply ACL inbound in eth0-
Allow Telnet
Allow FTP.
The return connections are allowed by default.
Then in the So interface,you have to allow the same telnet and ftp.
This has to be done in both routers..

So 10.1.1.0 network can connect to Telnet ,ftp to 20.1.1.0 network bcoz u have allowed in eth0 of R1 and S0 of R2.similarly,ftp telnet from 20.1.1.0 is allowed to 10.1.1.0 bcoz u have allowed in eth0 of R2 and S0 of R1.
The remaining things are blocked!!

The key concept is the return connections are allowed..
But i have no lab to test this and iam also just prep for ccie.So pls reply me if this works..

Thanks
Mohamed.

 ShamSunder.Sharma@UCB-Group.com:

> Mohamed,
>
> Thanks for replying ....
>
> we accepted that while coming back destination would be 2000 But i have
> situation like... i am putting 2 access-list 111, 112 --IN& OUT on
> serial 0
> interface of R1 router..
>
> 10.1.1.0/24-------e0 R1 s0-----------s0 R2 e0 -----20.1.1.0/24
>
> access-list 112 is applied oubound -- want permit telnet,ftp to host
> 20.1.1.1 from 10.1.1.0 subnet and blocking all ports.
> access-list 111 is applied inbound -- want to permit telnet,ftp to host
> 10.1.1.1 from 20.1.1.0 and blocking all ports.
>
> I this situation ...then telnet,ftp should not be completed since all
> other
> ports blocked in either sides ...
>
> Regards
>
>
>
>
> -----Original Message-----
> From: mohamed_n@sifycorp.com [mailto:mohamed_n@sifycorp.com]
> Sent: Tuesday, September 28, 2004 6:14 AM
> To: ShamSunder.Sharma@ucb-group.com
> Subject: Re: Application port reply ....
>
>
> Yeah, it should be src-23 and dest 2000.
>
> Thanks
> Mohamed.
>
> Quoting "Sharma Sham Sunder (vMoksha)"
> <ShamSunder.Sharma@UCB-Group.com>:
>
> > Hi
> >
> > Suppose IP 192.168.10.1 is trying to do the telnet to a IP
> > 10.10.10.10...
> > ports details will be like..
> >
> >
> > while going from 192.168.10.1 to 10.10.10.10
> >
> > Sourec IP source Port Desinations
> > IP Destination Port
> > 192.168.10.1 anyport above 1024 (say 2000) 10.10.10.10
> > 23
> >
> > while coming back from 10.10.10.10 to 192.168.10.1 what would be the
> > source
> > & Destinations ports---------- ?????
> > Sourec IP source Port Desinations IP
> > Destination Port
> > 10.10.10.10 23 ???? 192.168.10.1 2000
> > ????
> >
> >
> > Regards
> >
> >
> > ---------------------------------------------------------
> > Legal Notice: This electronic mail and its attachments are intended
> > solely
> > for the person(s) to whom they are addressed and contain information
> > which
> > is confidential or otherwise protected from disclosure, except for
> the
> > purpose they are intended to. Dissemination, distribution, or
> > reproduction
> > by anyone other than their intended recipients is prohibited and may
> be
> > illegal. If you are not an intended recipient, please immediately
> inform
> > the
> > sender and send him/her back the present e-mail and its attachments
> and
> > destroy any copies which may be in your possession.
> > ---------------------------------------------------------
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
> ---------------------------------------------------------
> Legal Notice: This electronic mail and its attachments are intended
> solely
> for the person(s) to whom they are addressed and contain information
> which
> is confidential or otherwise protected from disclosure, except for the
> purpose they are intended to. Dissemination, distribution, or
> reproduction
> by anyone other than their intended recipients is prohibited and may be
> illegal. If you are not an intended recipient, please immediately inform
> the
> sender and send him/her back the present e-mail and its attachments and
> destroy any copies which may be in your possession.
> ---------------------------------------------------------
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Anand Singh: "ip nbar protocol-discovery command"
• Previous message: Erick Bergquist: "RE: EIGRP METRIC"
• Maybe in reply to: Sharma Sham Sunder (vMoksha): "Application port reply ...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:50 GMT-3