RE: Access List Question

From: T. N. Noble (noble@inserviceindia.com)
Date: Fri Apr 08 2005 - 11:13:21 GMT-3

• Next message: etaylor10@tampabay.rr.com: "CCIE #14551"
• Previous message: Anthony Sequeira: "Re: CCIE # 14532"
• Maybe in reply to: T. N. Noble: "Access List Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks a lot. I understood it correctly.

Regards,

Noble
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jelle Borsje
Sent: 08 April 2005 16:39
To: GroupStudy - Posting
Subject: Re: Access List Question

Hej Mani,

With ICMP it works a bit different as with UDP/TCP.
With ICMP matching you are indicating the TYPE of packet. In the case of a
ping, ICMP type echo-reply will be a response to an ICMP echo packet.
With UDP/TCP you are indicating a port number ("eq www" is nothing more than
"eq 80"). Traffic one way is targetting port 80, and the return traffic
comes from port 80. Also notice the missing "eq" keyword, because we are not
matching portnumbers.

Also have a look at the following cisco output:

access 103 permit icmp any ?
  A.B.C.D Destination address
  any Any destination host
  host A single destination host

and:

access 103 permit icmp any any ?
  <0-255> ICMP message type
  administratively-prohibited Administratively prohibited ...
  echo Echo (ping)
  echo-reply Echo reply
...

You cannot enter the ICMP packet type after the first any. Hope this helps.

Greetz
Jelle

--- mani poopal <mani_ccie@yahoo.com> wrote:
> Hi,
>
> Why not add these two lines as well
> access-list 103 permit icmp any echo any access-list 103 permit icmp
> any echo-reply any
>
> Mani
>
> Jelle Borsje <borsjej@yahoo.dk> wrote:
> Hej,
>
> The 'both ways' seems to indicate that you need to allow return
> traffic as well:
>
> access-list 103 permit icmp any any echo access-list 103 permit icmp
> any any echo-reply access-list 103 permit udp any any eq tftp
> access-list 103 permit tcp any any eq smtp access-list 103 permit tcp
> any any eq www
>
> I would add:
>
> access-list 103 permit udp any eq tftp any access-list 103 permit tcp
> any eq smtp any access-list 103 permit tcp any eq www any
>
> That would allow traffic from a server back to a client. Does that
> make sense?
>
> Greetz
> Jelle
>
> --- "T. N. Noble" wrote:
> > Hi,
> >
> > How do you interpret the following question?
> >
> > Configure an inbound access list 103 on R3's loopback 0 that
> > satisfies the below mentioned criteria.
> >
> > 1. TFTP, SMTP, and WWW traffic are permitted both ways.
> > 2. ICMP ping traffic is permitted from everywhere.
> > 3. All other traffic is implicitly denied.
> >
> >
> > My answer is....It seems that something is wrong with it. What is
> > the question trying to explore by telling "both ways"
> > and "everywhere"
> >
> >
> > access-list 103 permit icmp any any echo access-list 103 permit icmp
> > any any echo-reply access-list 103 permit udp any any eq tftp
> > access-list 103 permit tcp any any eq smtp access-list 103 permit
> > tcp any any eq www
> >
> >
> > Any suggestion will be appreciated.
> >
> > Thanks,
> >
> > Noble
> >
> >
>

• Next message: etaylor10@tampabay.rr.com: "CCIE #14551"
• Previous message: Anthony Sequeira: "Re: CCIE # 14532"
• Maybe in reply to: T. N. Noble: "Access List Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:55 GMT-3