From: Koen Zeilstra (koen@koenzeilstra.com)
Date: Mon May 22 2006 - 08:53:02 ART
Hi group,
When you are asked on the exam to permit/shape/police HTTP/FTP traffic
from a vlan to a server would you need to apply the same for the returning
traffic?
So would this be enough:
ip access-list ext HTTP
permit 10.0.0.0 0.0.0.255 host 200.200.1.1 eq www
!
ip access-list ext FTP
permit 10.0.0.0 0.0.0.255 host 200.200.1.1 eq ftp
permit 10.0.0.0 0.0.0.255 host 200.200.1.1 eq ftp-data
or: (the webserver uses port 80 to respond.
Apache does in default configuration)
ip access-list ext HTTP
permit 10.0.0.0 0.0.0.255 host 200.200.1.1 eq www
permit host 200.1.1 eq www 10.0.0.0 0.0.0.255
!
ip access-list ext FTP
permit 10.0.0.0 0.0.0.255 host 200.200.1.1 eq ftp
! return control traffic:
permit host 200.200.1.1 eq ftp 10.0.0.0 0.0.0.255
permit 10.0.0.0 0.0.0.255 host 200.200.1.1 eq ftp-data
! passive ftp data response
permit host 200.200.1.1 eq ftp-data 10.0.0.0 0.0.0.255
! active ftp data response
permit host 200.200.1.1 10.0.0.0 0.0.0.255 eq ftp-data
!
Should the wording use terms as "between" to make it clear?
Thanks,
Koen
-----------------------
If two wrongs don't make a right, try three.
-- Laurence J. Peter
This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:22 ART