RE: Access List Configuration

From: Jongsoo.Kim@Intelsat.com
Date: Mon Mar 21 2005 - 15:43:33 GMT-3

DLSW TCP remote connection use TCP and UDP by default unless udp disable.
From IANA website http://www.iana.org/assignments/port-numbers

I found

dlsrpn 2065/tcp Data Link Switch Read Port Number
dlsrpn 2065/udp Data Link Switch Read Port Number

dlswpn 2067/tcp Data Link Switch Write Port Number
dlswpn 2067/udp Data Link Switch Write Port Number

Cisco implemeneted 2064 tcp and 2065 ucp for DLSW, which is revised from
original RFC.

Based on some other thread, I would modify DLSW like the following by
removing random port assignment.
I think the range of ramdon TCP and UDP port assignment to create a socket
is not necessary.
At the end of day, no application except DLSW can use TCP/UDP port 2065 and
2067.

1) Per cisco since udp is not used for 2065 and tcp is not used for 2067

DSLW permit tcp any any eq 2065
        permit tcp any eq 2065 any
DSLW permit udp any any eq 2067
        permit udp any eq 2067 any

Or 2) based on orginal RFC ####

DSLW permit tcp any any eq 2065
        permit tcp any eq 2065 any
DSLW permit udp any any eq 2065
        permit udp any eq 2065 any
DSLW permit tcp any any eq 2067
        permit tcp any eq 2067 any
DSLW permit udp any any eq 2067
        permit udp any eq 2067 any

Either one should be fine.

Regards

Jongsoo

-----Original Message-----
From: Dennis J. Hartmann [mailto:dennisjhartmann@hotmail.com]
Sent: Monday, 21 March, 2005 1:21 PM
To: Kim, Jongsoo; simon.hart@btinternet.com; noble@inserviceindia.com;
ccielab@groupstudy.com
Subject: RE: Access List Configuration

        What is UDP port 2067 doing in your DLSw ACL? I know about TCP port
2065, but I can't find anything on UDP 2067.
-Dennis

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jongsoo.Kim@Intelsat.com
Sent: Saturday, March 19, 2005 10:25 PM
To: simon.hart@btinternet.com; noble@inserviceindia.com;
ccielab@groupstudy.com
Subject: RE: Access List Configuration

Yeah that's right.
after I sent email, I realised ICMP should be more specific.
I can lose the precious point for that!

I think echo and echo-reply have to be taken care of.

permit icmp any any echo
permit icmo any any echo-reply

For ftp, it would be always safer to consider acitive FTP(ftp and ftp-data).
For this reason, CCO says that you can't use reflexive ACL for ftp.

Jongsoo

-----Original Message-----
From: simon hart [mailto:simon.hart@btinternet.com]
Sent: Saturday, March 19, 2005 5:48 PM
To: Kim, Jongsoo; noble@inserviceindia.com; ccielab@groupstudy.com
Subject: RE: Access List Configuration

Hi Kim,

Looks like you did all the hard work on this access-list, really do not want
to take anything away from it- you have even incorporated the DSLW+ thread
:)

I think you should look at the ICMP. The question was to allow pings. The
end of the question was to block all other traffic, therefore for the icmp
I would suggest

permit icmp any any echo

Also out of interested, if you were confronted with such a question on the
Lab would it be wise to incorporate both passive and active FTP as you have
done on the list?

Simon

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Jongsoo.Kim@Intelsat.com
Sent: 19 March 2005 21:30
To: noble@inserviceindia.com; ccielab@groupstudy.com
Subject: RE: Access List Configuration

I assumed you have BGP, OSPF, rip, DLSW+ runinnig over this S0.
I just type this from CD_DOC

ip access-list extended inbound
        permit tcp 0.0.0.1 255.255.255.254 any eq telnet
        permit tcp any eq ftp 172.17.59.80 0.0.0.15 established
        permit tcp any eq ftp-data 172.17.59.80 0.0.0.15 established
        permit udp any eq TFTP any
        permit udp any any eq tftp
        permit tcp any eq SMTP any
        permit tcp any any eq SMTP
        permit tcp any eq WWW any
        permit tcp any any eq WWW
ICMP permit icmp any any
DSLW permit tcp any eq range 11000 11999 any eq 2065
        permit tcp any eq 2065 any eq range 11000 11999
DSLW permit udp any eq 0 any eq 2067
        permit udp any eq 2067 any eq 0
OSPF Permit ospf any any
rip permit udp any eq rip any
        permit udp any any eq rip
BGP permit tcp any eq bgp any
        permit tcp any any eq bgp

Int S0
ip access-group inbound in

Regards

Jongsoo

-----Original Message-----
From: Noble [mailto:noble@inserviceindia.com]
Sent: Saturday, March 19, 2005 4:03 PM
To: GroupStudy - Posting
Subject: Access List Configuration

Hi,

Can anyone help me in configuring the following access-list?

172.17.59.64/28
        |
        S0
        |
        R5
        |
        E0
        |
    VLAN50
        |
172.17.59.80/28

Configure an inbound access list called INBOUND on R5 S0 that satisfies
following.

1. Telnet sessions are permitted only if originated from ip addresses whose
last octet is odd number.
2. FTP Sessions are permitted only if established from R5's E0 subnet.
3.TFTP, SMTP and WWW are permitted both ways.
4. Allow pings from anywhere.
5.Confirm connectivity after applying the access list. Verify that a telnet
to R5's E0 from r2's S0/0 fails but a telnet from R2's Fa0/0 works.
6. Ensure that routing and DLSw+ works while explicitly denying all other
traffic.

Any suggestion will be highly appreciated.

Thanks,

Noble

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:49 GMT-3