Your first statement is too general, all packets will test successfully
against it and never reach the second line. When you allow ip you allow the
whole stack.
Michael L. Lucas CCSI #22672
"David Eitel" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello Everybody,
> I have a segment that I want only established traffic to enter. This has
> become quite confusing. I want ping, telnet, traceroute and DNS replies as
> well as FTP. Heres what I currently have. Any feedback would be
appreciated.
>
> access-list 101 permit ip any 192.168.0.0 0.0.0.255 ----> Allowing IP
> access-list 101 permit tcp any 192.168.0.0 0.0.0.255 established ------->
> Allowing established TCP traffic
> access-list 101 permit udp any 192.168.0.0 0.0.0.255 gt 1023 ---------->
> Allowing DNS replies
> access-list 101 permit icmp any any echo-reply ------> Allow ping reply
>
>
>
> David Eitel
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=1741&t=1718
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
