Hi Tony,
remember that the direction to which you apply an access list is dependant
on the router, for example:
applying an access list IN on a router mean packets going inbound on the
interface, this is independant of what you want to deny, ie inbound snmp.
so for example to block SNMP from the internet to your network you would
create and access list denying snmp from any to any and apply it INbound on
the serial interface on the router. To block snmp from from local lan to
the router you would apply it INbound on the ethernet interface. So I would
hazzard a guess that you are not applying the access list in the appropriate
direction.
Where is the host you want to permit traffic to?? If it's on other end of
your serial interface than you should be applying the access list outbound
on the serial interface. This means that any devices behind the serial
interface will be able to access ONLY that host on the specified ports.
internet------->router----->localLAN
----->S1-router-E1 direction of traffic filtered using the outbound
statement
hope that helps
Ciaron
-----Original Message-----
From: Tony van Ree [mailto:[EMAIL PROTECTED]]
Sent: 25 July 2001 23:37
To: [EMAIL PROTECTED]
Subject: Re: permit ip any any [7:13686]
Hi,
It would depend on where you put the access-list. For example if you put
this on the WAN side of your router without specifying "incoming" in the
access-group statement the it would surely fail.
For this access-list to work in an outgoing direction it would need to be on
the Ethernet.
My guess is that this is the issue in otherwords the access-list is facing
the wrong way when applied.
Just a thought,
Teunis,
Hobart, Tasmania
Australia
On Tuesday, July 24, 2001 at 10:41:44 PM, Guy Russell wrote:
> Im not sure what you mean by shutting down the ports, but dont forget the
> implicit deny that is not seen... denying all!!!!
>
> can you access the web or mail services etc... on that machine????
>
> Is it applied to the correct interface..
>
> Is S1 closer to the destination, or source.
>
>
>
> ----- Original Message -----
> From: "John Brandis"
> To:
> Sent: Tuesday, July 24, 2001 9:12 PM
> Subject: permit ip any any [7:13686]
>
>
> > Hi ya,
> >
> > another ACL question
> >
> > I have a pretty simple ACL at the moment
> >
> > ip access list 110
> >
> > permit tcp any host 203.111.xxx.215 eq 25
> > permit tcp any host 203.111.xxx.215 eq 80
> > permit tcp any host 203.111.xxx.215 eq 25
> > permit tcp any host 203.111.xxx.215 eq 53
> > permit udp any host 203.111.xxx.215 eq 53
> >
> >
> > I put this on the the s1 int (run a stub network) in. However, the
> > second I apply this it actually shuts these ports down, like the
> > opposite of what I thought was to happen. I changed the direction of the
> > ACL but it did not effect the end result.
> > Do I have to use the permit ip any any now, would that not go against
> > the use of permitting only certain ports...
> >
> > Thanks for your help...
> >
> > John
> > Sydney Australia
--
www.tasmail.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13842&t=13686
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
