From: Dennis J. Hartmann (dennisjhartmann@hotmail.com)
Date: Mon Mar 21 2005 - 15:20:56 GMT-3
What is UDP port 2067 doing in your DLSw ACL? I know about TCP port
2065, but I can't find anything on UDP 2067.
-Dennis
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jongsoo.Kim@Intelsat.com
Sent: Saturday, March 19, 2005 10:25 PM
To: simon.hart@btinternet.com; noble@inserviceindia.com;
ccielab@groupstudy.com
Subject: RE: Access List Configuration
Yeah that's right.
after I sent email, I realised ICMP should be more specific.
I can lose the precious point for that!
I think echo and echo-reply have to be taken care of.
permit icmp any any echo
permit icmo any any echo-reply
For ftp, it would be always safer to consider acitive FTP(ftp and ftp-data).
For this reason, CCO says that you can't use reflexive ACL for ftp.
Jongsoo
-----Original Message-----
From: simon hart [mailto:simon.hart@btinternet.com]
Sent: Saturday, March 19, 2005 5:48 PM
To: Kim, Jongsoo; noble@inserviceindia.com; ccielab@groupstudy.com
Subject: RE: Access List Configuration
Hi Kim,
Looks like you did all the hard work on this access-list, really do not want
to take anything away from it- you have even incorporated the DSLW+ thread
:)
I think you should look at the ICMP. The question was to allow pings. The
end of the question was to block all other traffic, therefore for the icmp
I would suggest
permit icmp any any echo
Also out of interested, if you were confronted with such a question on the
Lab would it be wise to incorporate both passive and active FTP as you have
done on the list?
Simon
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Jongsoo.Kim@Intelsat.com
Sent: 19 March 2005 21:30
To: noble@inserviceindia.com; ccielab@groupstudy.com
Subject: RE: Access List Configuration
I assumed you have BGP, OSPF, rip, DLSW+ runinnig over this S0.
I just type this from CD_DOC
ip access-list extended inbound
permit tcp 0.0.0.1 255.255.255.254 any eq telnet
permit tcp any eq ftp 172.17.59.80 0.0.0.15 established
permit tcp any eq ftp-data 172.17.59.80 0.0.0.15 established
permit udp any eq TFTP any
permit udp any any eq tftp
permit tcp any eq SMTP any
permit tcp any any eq SMTP
permit tcp any eq WWW any
permit tcp any any eq WWW
ICMP permit icmp any any
DSLW permit tcp any eq range 11000 11999 any eq 2065
permit tcp any eq 2065 any eq range 11000 11999
DSLW permit udp any eq 0 any eq 2067
permit udp any eq 2067 any eq 0
OSPF Permit ospf any any
rip permit udp any eq rip any
permit udp any any eq rip
BGP permit tcp any eq bgp any
permit tcp any any eq bgp
Int S0
ip access-group inbound in
Regards
Jongsoo
-----Original Message-----
From: Noble [mailto:noble@inserviceindia.com]
Sent: Saturday, March 19, 2005 4:03 PM
To: GroupStudy - Posting
Subject: Access List Configuration
Hi,
Can anyone help me in configuring the following access-list?
172.17.59.64/28
|
S0
|
R5
|
E0
|
VLAN50
|
172.17.59.80/28
Configure an inbound access list called INBOUND on R5 S0 that satisfies
following.
1. Telnet sessions are permitted only if originated from ip addresses whose
last octet is odd number.
2. FTP Sessions are permitted only if established from R5's E0 subnet.
3.TFTP, SMTP and WWW are permitted both ways.
4. Allow pings from anywhere.
5.Confirm connectivity after applying the access list. Verify that a telnet
to R5's E0 from r2's S0/0 fails but a telnet from R2's Fa0/0 works.
6. Ensure that routing and DLSw+ works while explicitly denying all other
traffic.
Any suggestion will be highly appreciated.
Thanks,
Noble
This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:49 GMT-3