Re: smtp flow - Can match prot smtp be used instead?

From: ccie2be (ccie2be@nyc.rr.com)
Date: Mon Nov 15 2004 - 15:41:51 GMT-3

• Next message: ccie2be: "Re: smtp - IEWB lab 2, task 9.10"
• Previous message: Brian McGahan: "RE: smtp - IEWB lab 2, task 9.10"
• Maybe in reply to: ccie2be: "Re: smtp flow - Can match prot smtp be used instead?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks, Brian,

Are you saying, then, the config would have to look like this in order to be
as specific as the given solution?

R3

 class-map match-all SMTP
 match prot smtp
 match access-group name SMTP-FROM-SERVER

  ip access-list extended SMTP-FROM-SERVER
  permit tcp host 132.1.3.100 any <-- Note: no eq
smtp

Would you agree that this config is EXACTLY equivalent to solution in SG?

Thanks, Tim

----- Original Message -----
From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
To: "ccie2be" <ccie2be@nyc.rr.com>
Cc: "lab" <ccielab@groupstudy.com>
Sent: Monday, November 15, 2004 1:19 PM
Subject: RE: smtp flow - Can match prot smtp be used instead?

You would also have to match the source and destination address
in question. Other than that they accomplish the same thing.

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie2be
> Sent: Monday, November 15, 2004 10:32 AM
> To: Brian McGahan; John Matus
> Cc: lab
> Subject: Re: smtp flow - Can match prot smtp be used instead?
>
> Brian,
>
> What's the difference, if any, between the config below from the SG
where
> an acl is used to match smtp traffic and using the match prot smtp
> statement? Specifically, would using the match prot smtp statement
AVOID
> the issue of where the "eq smtp" should be that exists with the
access-
> list?
>
> R3#
> class-map SMTP-FROM-SERVER
> match access-group name SMTP-FROM-SERVER
>
> ip access-list extended SMTP-FROM-SERVER
> permit tcp host 132.1.3.100 eq smtp any
>
> R5#
> class-map SMTP-TO-SERVER
> match access-group name SMTP-TO-SERVER
>
> ip access-list extended SMTP-TO-SERVER
> permit tcp any host 132.1.3.100 eq smtp
>
> Is below the same as above config?
>
> R3
>
> class-map SMTP
> match prot smtp
>
> R5
> class-map SMTP
> match prot smtp
>
>
> Thanks, Tim
>
> ----- Original Message -----
> From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> To: "John Matus" <jmatus@pacbell.net>
> Cc: "lab" <ccielab@groupstudy.com>
> Sent: Monday, November 15, 2004 9:36 AM
> Subject: RE: smtp flow
>
>
> > John,
> >
> > Yes there was a previous typo in this solution that was fixed.
> > The correct ACLs read as follows:
> >
> > R3#
> > ip access-list extended SMTP_FROM_SERVER
> > permit tcp host 132.1.3.100 eq smtp any
> >
> > R5#
> > ip access-list extended SMTP_TO_SERVER
> > permit tcp any host 132.1.3.100 eq smtp
> >
> > See this post for reference:
> >
> >
http://forum.internetworkexpert.com/ubbthreads/showflat.php?Cat=&Board=I
> >
EWB_RS_LAB2&Number=4830&Forum=All_Forums&Words=smtp&Searchpage=0&Limit=2
> >
5&Main=1570&Search=true&where=bodysub&Name=&daterange=1&newerval=1&newer
> > type=y&olderval=&oldertype=&bodyprev=#Post4830
> >
> > And no this isn't a CCNP level question ;)
> >
> > Thanks,
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987 x 705
> > Outside US: 775-826-4344 x 705
> > 24/7 Support: http://forum.internetworkexpert.com
> > Live Chat: http://www.internetworkexpert.com/chat/
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > Of
> > > John Matus
> > > Sent: Monday, November 15, 2004 12:29 AM
> > > To: marc van hoof; ccie2be
> > > Cc: lab
> > > Subject: Re: smtp flow
> > >
> > > yes, that was my initial thinking, however internetwork experts
had it
> > > ass-backwards in their solution guide and i just wanted to make
sure i
> > was
> > > correct <and they had a typo>
> > >
> > >
> > > Regards,
> > >
> > > John D. Matus
> > > MCSE, CCNP
> > > Office: 818-782-2061
> > > Cell: 818-430-8372
> > > jmatus@pacbell.net
> > > ----- Original Message -----
> > > From: "marc van hoof" <mvh@marcvanhoof.com>
> > > To: "ccie2be" <ccie2be@nyc.rr.com>
> > > Cc: "John Matus" <jmatus@pacbell.net>; "lab"
<ccielab@groupstudy.com>
> > > Sent: Sunday, November 14, 2004 8:50 PM
> > > Subject: Re: smtp flow
> > >
> > >
> > > > oh, and to answer the question, i would probably go with:
> > > >
> > > > deny tcp any eq smtp any
> > > >
> > > > given that you have to look at the terms "server" and "client"
from
> > the
> > > > perspective of the transaction, rather than the functions of the
> > > > hardware...
> > > >
> > > > in a traditional transaction, a client will be the originator of
a
> > > > session, and the server will be the recipient...
> > > >
> > > > so PC 1 creates a tcp connection from some random source port to
> > another
> > > > computer on port 25... in this transaction, i'd interpret that
as
> > the
> > > > "server"
> > > >
> > > > to block the return traffic, you need to stop it flowing from
the
> > > "server"
> > > > on port 25 to the client's variable port, hence it must be
> > unspecified
> > > in
> > > > the acl.
> > > >
> > > > the definition of "server" and "client" are something you could
> > probably
> > > > ask the proctor though - just to clarify your understanding of
the
> > > > question. "proctor - should we assume that the client is the
> > originator
> > > of
> > > > the connection - i'm a bit confused because smtp is often used
> > between
> > > > mail servers"...
> > > >
> > > > -marc (#13832)
> > > >
> > > > On Sun, 14 Nov 2004, ccie2be wrote:
> > > >
> > > >> John,
> > > >>
> > > >> I don't know the answer for sure. But, in the lab, if
something
> > like
> > > >> that
> > > >> comes and the wording of the task didn't forbid it, what I
would do
> > is
> > > >> use
> > > >> both. Youdon't lose points for extra config commands which
aren't
> > > needed
> > > >> as
> > > >> long as the extra commands don't break or violate anything
else.
> > > >>
> > > >> If one of those entries is the right entry but you don't know
which
> > one
> > > >> and
> > > >> just guess, you've got a 50% chance of being right. If you put
in
> > both
> > > >> entries and the wrong entry does no harm, you've increase your
odds
> > to
> > > >> 100%.
> > > >>
> > > >> FYI, smtp is usually not used between a server and a client.
> > Usually,
> > > >> it's
> > > >> something like pop, (or imap?).
> > > >>
> > > >> HTH, Tim
> > > >> ----- Original Message -----
> > > >> From: "John Matus" <jmatus@pacbell.net>
> > > >> To: "lab" <ccielab@groupstudy.com>
> > > >> Sent: Sunday, November 14, 2004 10:09 PM
> > > >> Subject: smtp flow
> > > >>
> > > >>
> > > >>> if you are writing an acl that is denying a smpt flow from a
> > server to
> > > a
> > > >>> client would it be:
> > > >>>
> > > >>> deny tcp any eq smtp any?..........(or deny tcp any any eq
smtp)?
> > > >>>
> > > >>>
> > > >>> Regards,
> > > >>>
> > > >>> John D. Matus
> > > >>> MCSE, CCNP
> > > >>> Office: 818-782-2061
> > > >>> Cell: 818-430-8372
> > > >>> jmatus@pacbell.net
> > > >>>
> > > >>>
> > >
> >

• Next message: ccie2be: "Re: smtp - IEWB lab 2, task 9.10"
• Previous message: Brian McGahan: "RE: smtp - IEWB lab 2, task 9.10"
• Maybe in reply to: ccie2be: "Re: smtp flow - Can match prot smtp be used instead?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:46 GMT-3