Re: ACL Query

From: Darby Weaver (ccie.weaver@gmail.com)
Date: Wed Nov 19 2008 - 20:21:44 ARST

• Next message: Darby Weaver: "Re: mib table in doccd?"
• Previous message: Charles: "mib table in doccd?"
• Maybe in reply to: Nitro Drops: "ACL Query"
• Next in thread: What ever: "Re: ACL Query"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Check out Jeff Doyle Volume I 2nd Edition in one of his Appendices. He
covers this little misunderstood topic very well. I think he used Telnet or
SSH in his example through.

The jist of the discussion is to understand what a "source port" is and what
a "destination port" is. Once you have this (debug ip packet if you need
further clarification) then you can correctly write your access list every
time.

For example: BGP needs tcp port 179 both for source and destination. While
http only has a destination port of 80 on the other hand. Look at netstat
to verify on a Windows on *Nix box to verify.

Like this example:

  TCP 10.81.10.151:2767 209.85.165.99:80 ESTABLISHED
  TCP 10.81.10.151:2774 209.85.165.99:80 ESTABLISHED

See the source in this example is 10.81.10.151 and the destiantion is
209.85.165.99.

Which side needs port 80? Which side does not?

Got it?

You can use this methodology for mostly any port.

Sh connections on a PIX/ASA will yield similar results.

On Tue, Nov 18, 2008 at 7:19 PM, But Nicky <lyredhair@gmail.com> wrote:

> Hi Nitro,
>
> (1): traffic http respond from server.
> (2): traffic http request from client.
>
> Regards,
> But Nguyen
>
> On Mon, Nov 17, 2008 at 6:28 PM, Nitro Drops <nitrodrops@hotmail.com>
> wrote:
>
> > if both source and destinations are using http, any differences between
> >
> > (1) permit tcp host x.x.x.x eq www host x.x.x.x
> >
> > and
> >
> > (2) permit tcp host x.x.x.x host x.x.x.x eq www
> >
> >
> > My understanding of using method (1) to match the protocol to the source,
> > is
> > when the application is using random ports. Pls kindly correct if i am
> > wrong.
> >
> >
> >
> > _________________________________________________________________
> > Take a summer road trip with Windows Live Hotmail. Multiple prizes and
> the
> > ultimate dream beach house!
> > http://www.ninemsn.com.au/hotmailroadtrip
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Darby Weaver: "Re: mib table in doccd?"
• Previous message: Charles: "mib table in doccd?"
• Maybe in reply to: Nitro Drops: "ACL Query"
• Next in thread: What ever: "Re: ACL Query"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST