Re: ACL

From: Darby Weaver (ccie.weaver@gmail.com)
Date: Sun Nov 23 2008 - 17:00:51 ARST

• Next message: Narbik Kocharians: "Re: Shape peak - DOC CD example is WRONG ??"
• Previous message: Pavel Bykov: "Re: Shape peak - DOC CD example is WRONG ??"
• Maybe in reply to: Nitro Drops: "ACL"
• Next in thread: Jason Madsen: "Re: ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If you need a practical and useful example, do this:

Setup a Router with FW IOS for to be an IPSec VPN. Put another router in
front of it. Use ESP as a protocol - now write an acl to deny IP Protocol
50. Try your VPN Client. Wax on and Wax off. BTW - you can allow ISAKMP
and ESP over UDP in your acl to complete the set for the tunnel.

Load of differences. Lots of people don't know about using IP Protocols
numbers versus using ports and I had to support a lot of them with regard to
Firewalls and VPNs... So I think it's helpful info. It gave me the idea
for the example.

Good Luck!

On Sun, Nov 23, 2008 at 10:09 AM, Scott Morris <
smorris@internetworkexpert.com> wrote:

> Absolutely! The first (although poorly written) is a protocol number 59.
> The second represents a port number.
>
> Take 17 or 6 as an example. As a protocol number, these represent (at
> least
> if my memory is working this morning) TCP and UDP. As port numbers (ex #2)
> they don't really represent much of anything unless some specific app is
> using those ports.
>
> HTH,
>
>
> Scott Morris, CCIE4 #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al.
> CCSI/JNCI-M/JNCI-ER
> Senior CCIE Instructor
>
> smorris@internetworkexpert.com
>
>
>
> Knowledge is power.
> Power corrupts.
> Study hard and be Eeeeviiiil......
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Nitro Drops
> Sent: Sunday, November 23, 2008 8:54 AM
> To: ccielab@groupstudy.com
> Subject: ACL
>
> Any differences between
>
> 1.) deny 59 any any
>
> &
>
> 2.) deny tcp any any eq 59
> deny udp any any eq 59
>
> Was doing ASET labs. used method1, but got penalised. Solution using
> method2
>
> _________________________________________________________________
> Time for change? Find your ideal job with SEEK.
>
> http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Eseek%2Ecom%2Eau%2F
> %
>
> 3Ftracking%3Dsk%3Atl%3Ask%3Anine%3A0%3Ahottag%3Achange&_t=757263783&_r=SEEK_
> t
> agline&_m=EXT
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Narbik Kocharians: "Re: Shape peak - DOC CD example is WRONG ??"
• Previous message: Pavel Bykov: "Re: Shape peak - DOC CD example is WRONG ??"
• Maybe in reply to: Nitro Drops: "ACL"
• Next in thread: Jason Madsen: "Re: ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST