Re: Access List Question

From: Jelle Borsje (borsjej@yahoo.dk)
Date: Fri Apr 08 2005 - 10:39:26 GMT-3

• Next message: ccie2be: "RE: priority command in MDQ"
• Previous message: mani poopal: "Re: Access List Question"
• Maybe in reply to: T. N. Noble: "Access List Question"
• Next in thread: T. N. Noble: "RE: Access List Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hej Mani,

With ICMP it works a bit different as with UDP/TCP.
With ICMP matching you are indicating the TYPE of
packet. In the case of a ping, ICMP type echo-reply
will be a response to an ICMP echo packet.
With UDP/TCP you are indicating a port number ("eq
www" is nothing more than "eq 80"). Traffic one way is
targetting port 80, and the return traffic comes from
port 80. Also notice the missing "eq" keyword, because
we are not matching portnumbers.

Also have a look at the following cisco output:

access 103 permit icmp any ?
  A.B.C.D Destination address
  any Any destination host
  host A single destination host

and:

access 103 permit icmp any any ?
  <0-255> ICMP message type
  administratively-prohibited Administratively
prohibited
...
  echo Echo (ping)
  echo-reply Echo reply
...

You cannot enter the ICMP packet type after the first
any. Hope this helps.

Greetz
Jelle

--- mani poopal <mani_ccie@yahoo.com> wrote:
> Hi,
>
> Why not add these two lines as well
> access-list 103 permit icmp any echo any
> access-list 103 permit icmp any echo-reply any
>
> Mani
>
> Jelle Borsje <borsjej@yahoo.dk> wrote:
> Hej,
>
> The 'both ways' seems to indicate that you need to
> allow return traffic as well:
>
> access-list 103 permit icmp any any echo
> access-list 103 permit icmp any any echo-reply
> access-list 103 permit udp any any eq tftp
> access-list 103 permit tcp any any eq smtp
> access-list 103 permit tcp any any eq www
>
> I would add:
>
> access-list 103 permit udp any eq tftp any
> access-list 103 permit tcp any eq smtp any
> access-list 103 permit tcp any eq www any
>
> That would allow traffic from a server back to a
> client. Does that make sense?
>
> Greetz
> Jelle
>
> --- "T. N. Noble" wrote:
> > Hi,
> >
> > How do you interpret the following question?
> >
> > Configure an inbound access list 103 on R3's
> > loopback 0 that satisfies the
> > below mentioned criteria.
> >
> > 1. TFTP, SMTP, and WWW traffic are permitted both
> > ways.
> > 2. ICMP ping traffic is permitted from everywhere.
> > 3. All other traffic is implicitly denied.
> >
> >
> > My answer is....It seems that something is wrong
> > with it. What is the
> > question trying to explore by telling "both ways"
> > and "everywhere"
> >
> >
> > access-list 103 permit icmp any any echo
> > access-list 103 permit icmp any any echo-reply
> > access-list 103 permit udp any any eq tftp
> > access-list 103 permit tcp any any eq smtp
> > access-list 103 permit tcp any any eq www
> >
> >
> > Any suggestion will be appreciated.
> >
> > Thanks,
> >
> > Noble
> >
> >
>

• Next message: ccie2be: "RE: priority command in MDQ"
• Previous message: mani poopal: "Re: Access List Question"
• Maybe in reply to: T. N. Noble: "Access List Question"
• Next in thread: T. N. Noble: "RE: Access List Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:55 GMT-3