Since the access-list is worked from top down, wouldn't the top line allow
all IP traffic.
I don't think that IP packets are ever going to see the lower lines in your
config.
Also, don't forget the implicit deny at the end, you are setting up to drop
all traffic not on the 192.168.0.X network.
Jason Coleman - CCNP, CCDP
Customer Engineer
Network Management Center - Austin
(ph) 512-340-3134
(email) [EMAIL PROTECTED]
-----Original Message-----
From: David Eitel [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 24, 2001 10:19 AM
To: [EMAIL PROTECTED]
Subject: Extended access list question [7:1718]
Hello Everybody,
I have a segment that I want only established traffic to
enter. This has
become quite confusing. I want ping, telnet, traceroute and
DNS replies as
well as FTP. Heres what I currently have. Any feedback would
be appreciated.
access-list 101 permit ip any 192.168.0.0 0.0.0.255 ---->
Allowing IP
access-list 101 permit tcp any 192.168.0.0 0.0.0.255
established ------->
Allowing established TCP traffic
access-list 101 permit udp any 192.168.0.0 0.0.0.255 gt 1023
---------->
Allowing DNS replies
access-list 101 permit icmp any any echo-reply ------> Allow
ping reply
David Eitel
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=1725&t=1718
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
