RE: Access List Configuration

From: simon hart (simon.hart@btinternet.com)
Date: Sat Mar 19 2005 - 19:47:57 GMT-3

• Next message: Scott Morris: "RE: RE: VoIP"
• Previous message: Joe Smith: "RE: What will be the best strategy to find TCP/UDP ports from"
• Maybe in reply to: Noble: "Access List Configuration"
• Next in thread: Jongsoo.Kim@Intelsat.com: "RE: Access List Configuration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Kim,

Looks like you did all the hard work on this access-list, really do not want
to take anything away from it- you have even incorporated the DSLW+ thread
:)

I think you should look at the ICMP. The question was to allow pings. The
end of the question was to block all other traffic, therefore for the icmp
I would suggest

permit icmp any any echo

Also out of interested, if you were confronted with such a question on the
Lab would it be wise to incorporate both passive and active FTP as you have
done on the list?

Simon

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Jongsoo.Kim@Intelsat.com
Sent: 19 March 2005 21:30
To: noble@inserviceindia.com; ccielab@groupstudy.com
Subject: RE: Access List Configuration

I assumed you have BGP, OSPF, rip, DLSW+ runinnig over this S0.
I just type this from CD_DOC

ip access-list extended inbound
        permit tcp 0.0.0.1 255.255.255.254 any eq telnet
        permit tcp any eq ftp 172.17.59.80 0.0.0.15 established
        permit tcp any eq ftp-data 172.17.59.80 0.0.0.15 established
        permit udp any eq TFTP any
        permit udp any any eq tftp
        permit tcp any eq SMTP any
        permit tcp any any eq SMTP
        permit tcp any eq WWW any
        permit tcp any any eq WWW
ICMP permit icmp any any
DSLW permit tcp any eq range 11000 11999 any eq 2065
        permit tcp any eq 2065 any eq range 11000 11999
DSLW permit udp any eq 0 any eq 2067
        permit udp any eq 2067 any eq 0
OSPF Permit ospf any any
rip permit udp any eq rip any
        permit udp any any eq rip
BGP permit tcp any eq bgp any
        permit tcp any any eq bgp

Int S0
ip access-group inbound in

Regards

Jongsoo

-----Original Message-----
From: Noble [mailto:noble@inserviceindia.com]
Sent: Saturday, March 19, 2005 4:03 PM
To: GroupStudy - Posting
Subject: Access List Configuration

Hi,

Can anyone help me in configuring the following access-list?

172.17.59.64/28
        |
        S0
        |
        R5
        |
        E0
        |
    VLAN50
        |
172.17.59.80/28

Configure an inbound access list called INBOUND on R5 S0 that satisfies
following.

1. Telnet sessions are permitted only if originated from ip addresses whose
last octet is odd number.
2. FTP Sessions are permitted only if established from R5's E0 subnet.
3.TFTP, SMTP and WWW are permitted both ways.
4. Allow pings from anywhere.
5.Confirm connectivity after applying the access list. Verify that a telnet
to R5's E0 from r2's S0/0 fails but a telnet from R2's Fa0/0 works.
6. Ensure that routing and DLSw+ works while explicitly denying all other
traffic.

Any suggestion will be highly appreciated.

Thanks,

Noble

• Next message: Scott Morris: "RE: RE: VoIP"
• Previous message: Joe Smith: "RE: What will be the best strategy to find TCP/UDP ports from"
• Maybe in reply to: Noble: "Access List Configuration"
• Next in thread: Jongsoo.Kim@Intelsat.com: "RE: Access List Configuration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:48 GMT-3