Re: 'established' vs. reflexive acl

From: Dave Meyer (dave.meyer@db.com)
Date: Wed Mar 02 2005 - 18:09:00 GMT-3

• Next message: Capt.Spock: "IE Sample Lab: Multicast:"
• Previous message: Larry Roberts: "real world problem"
• Maybe in reply to: John Matus: "'established' vs. reflexive acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

not totally..... with the extended ACL you are allowing all tcp to be
tracked. with the second i assume your allowing return telnet packets
which would
need to be telnet sourced or maybe you could change it to tcp any eq
telnet any est ( just thinking out loud, haven't tried it )

Regards,
Dave
______________________________________________
Architecture & Engineering
Work: (201) 593-5545
Cell: (973) 907-4963

"John Matus" <john_matus@hotmail.com>
Sent by: nobody@groupstudy.com
03/02/2005 03:10 PM
Please respond to "John Matus"

 
        To: Dave Meyer/NewYork/DBNA/DeuBa@DBNA
        cc: ccielab@groupstudy.com
        Subject: Re: 'established' vs. reflexive acl

so what you are sayikng is that

access-l 101 permit tcp any any eq telnet established

is just about equal to

access-l extended inbound
evlauate myreflect
access-l extended outbound
permit tcp any any reflect myreflect...

>From: "Dave Meyer" <dave.meyer@db.com>
>To: "John Matus" <john_matus@hotmail.com>
>Subject: Re: 'established' vs. reflexive acl
>Date: Wed, 2 Mar 2005 14:50:16 -0500
>
>In the extended acl you're allowing telnet inbound then checking your
>reflexive list.
>
>The established acl needs to have the syn cleared in order to come in so
>it wont allow inbound telnet.
>
>If you got rid of the first line " permit tcp any any eq telnet" then you

>would be checking outbound tcp & allowing
>return packets.
>
>
>Regards,
>Dave
>______________________________________________
>Architecture & Engineering
>Work: (201) 593-5545
>Cell: (973) 907-4963
>
>
>
>
>
>"John Matus" <john_matus@hotmail.com>
>Sent by: nobody@groupstudy.com
>03/02/2005 02:29 PM
>Please respond to "John Matus"
>
>
> To: ccielab@groupstudy.com
> cc:
> Subject: 'established' vs. reflexive acl
>
>
>i'm a bit confused about the difference between the following 2 ACL's.
>
>int e0/0
>ip access-group 101 in
>access-list 101 permit tcp any any eq telnet established
>
>AND
>
>int e0/0
>ip access-group inbound in
>ip access-group outbound out
>
>access-l extended inbound
> permit tcp any any eq telnet
> evaluate myreflect
>
>access-l extended outbound
> permit tcp any any reflect myreflect
>
>
>does the established keyword only allow a session that was initiated
>outbound then return inbound?
>
>_________________________________________________________________
>On the road to retirement? Check out MSN Life Events for advice on how to
>get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>
>
>

• Next message: Capt.Spock: "IE Sample Lab: Multicast:"
• Previous message: Larry Roberts: "real world problem"
• Maybe in reply to: John Matus: "'established' vs. reflexive acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:39 GMT-3