From: Scott Morris (swm@emanon.com)
Date: Wed Mar 02 2005 - 17:49:56 GMT-3
I'm missing the thought process here...
If you have a telnet session coming in with the ack bit set, then that means
the three-way handshake would have already taken place. That means it must
have been initiated outbound.
So if that's the case, then permitting the "any any telnet" seems to violate
what you are trying to do. *shrug*
The "any any eq telnet established" would be hard to do on an inbound
direction. Since the destination port will be telnet, that means it'll be
an incoming session. Incoming sessions start with the syn bit, not the ack
bit. So if that's all you have, you'll never start an inbound telnet
session.
HTH,
Scott
-----Original Message-----
From: John Matus [mailto:john_matus@hotmail.com]
Sent: Wednesday, March 02, 2005 3:05 PM
To: swm@emanon.com; ccielab@groupstudy.com
Subject: RE: 'established' vs. reflexive acl
OK,
so what is the practical difference between only allowing an inbound telnet
session with the ack bit set, and letting a dynamic tcp session return
inbound. i'm not sure i understand the difference.
i know that the ack bit is set when it has undergone part of the three-way
handshake, so that at least in theory guarantees that it was initiated
outbound....but if you have a reflexive access-list like the one below that
created a dynamic entry for outbound tcp session but also has the inbound
access-list permit telnet traffic before the extended acl is evaluated, does
that override the dynamic entry and not guarantee that the telnet session
was initiated from the inside?
i suppose rather than:
access-l extended inbound
permit tcp any any eq telnet
evaluate myreflect
i could have but:
access-l extended inbound
permit tcp any any eq port-unreachables
permit tcp any any eq time-exceeded
evaluate myreflect
so, what would be the difference between this last extended acl and:
'access-l 101 permit tcp any any eq telnet established' ?
>From: "Scott Morris" <swm@emanon.com>
>Reply-To: <swm@emanon.com>
>To: "'John Matus'" <john_matus@hotmail.com>,<ccielab@groupstudy.com>
>Subject: RE: 'established' vs. reflexive acl
>Date: Wed, 2 Mar 2005 14:40:02 -0500
>
>Established only covers tcp sessions with the 'ack' bit.
>
>Given the examples below, the reflexive acl only works for TCP as well,
>so there really is no difference. However, reflexive ACLs can work for
>UDP and ICMP as well, so don't limit yourself!
>
>Scott
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>John Matus
>Sent: Wednesday, March 02, 2005 2:29 PM
>To: ccielab@groupstudy.com
>Subject: 'established' vs. reflexive acl
>
>i'm a bit confused about the difference between the following 2 ACL's.
>
>int e0/0
>ip access-group 101 in
>access-list 101 permit tcp any any eq telnet established
>
>AND
>
>int e0/0
>ip access-group inbound in
>ip access-group outbound out
>
>access-l extended inbound
> permit tcp any any eq telnet
> evaluate myreflect
>
>access-l extended outbound
> permit tcp any any reflect myreflect
>
>
>does the established keyword only allow a session that was initiated
>outbound then return inbound?
>
>_________________________________________________________________
>On the road to retirement? Check out MSN Life Events for advice on how
>to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:39 GMT-3