From: Luca Hall (lhall@setnine.com)
Date: Sat Mar 22 2008 - 18:05:09 ART
I would say ftp traffic going from x to y would imply that x is the client
and y is the server, since if y was the client you would generally say
something like from y to x or return ftp control/data/traffic.
So if it goes x --> fw -- y; permit tcp host x host y eq 21.
Not taking into account control, passive, active etc.
> Hi GS:
>
> Two quick questions for you all.
>
> Having trouble with determining which "side" of an ACL you match ports on.
>
> For example:
>
> -We are told to match FTP traffic going from X to Y. Is the ACL like
> option
> (1) or (2)?
> (1) access-list 101 permit tcp host [x] eq ftp host [y]
> (2) access-list 101 permit tcp host [x] host [y] eq ftp
>
> What is a good way to determine this?
>
> Also, with NAT, I have a a question. I set up a translation as below:
>
> R1--->R2--->R3
>
> R2:
> int fa0/1 (to R1)
> ip nat inside
> ip add 1.1.1.2
>
> int fa0/2 (to R2)
> ip nat outside
> ip add 2.2.2.1
>
> ip nat inside source list 101 interface fa0/2 overload
>
>
> access-list 101 permit icmp any any
>
> Wouldn't this cause any ICMP traffic (ie ping) that R1 sends to R3 to have
> its source address translated from 1.1.1.1 to 2.2.2.1?'
>
> I set this up and the output from "debug ip icmp" showed the ICMP packets
> still coming from source of 1.1.1.1 - not 2.2.2.1 - what am I doing wrong?
> Thanks in advance.
>
> Matt Bentley
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:54 ART