Thats, that just slipped my mind. Justin
""Brian"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > the last line doesnt permit everything, just icmp packets that are not > echo request, since those will be dropped by the second line. Looks like > the icmp approach is block ping, permit other icmp, which is a common > approach. First match wins.. > > Bri > > On Thu, 21 Feb 2002, Justin M. Clark wrote: > > > I have the following access list and am trying to make since of it. Here > is > > what I have sofar with what I think the line does. > > > > 1. access-list 101 deny icmp any any redirect > > stop all redirects > > 2. access-list 101 deny icmp any any echo > > stop ping > > 3. access-list 101 deny ip 127.0.0.0 0.255.255.255 any > > stop localhost from going anywhere > > 4. access-list 101 deny ip 224.0.0.0 31.255.255.255 any > > stop private address from going anywhere > > 5. access-list 101 deny ip xxx.xxx.40.0 0.0.0.255 any > > stop xxx.xxx.40.0/24 from getting to anything > > 6. access-list 101 permit tcp any any eq telnet > > permit telnet from anywhere > > 7. access-list 101 permit tcp any any established > > permit anything from established connection > > 8. access-list 101 permit tcp any host xxx.xxx.43.133 eq smtp > > permit anyone to xxx.xxx.43.113 port 25 > > 9. access-list 101 permit tcp any host xxx.xxx.43.133 eq pop3 > > permit anyone to xxx.xxx.43.113 port 110 > > 10. access-list 101 permit tcp any host xxx.xxx.43.133 eq ftp > > permit anyone to xxx.xxx.43.113 port 21 > > 11. access-list 101 permit ip host XXX.152.0.8 any > > permit external dns servers to go anywhere > > 12. access-list 101 permit ip host XXX.152.16.8 any > > permit external dns servers to go anywhere > > 13. access-list 101 permit tcp any host xxx.xxx.43.134 eq www > > permit anyone to xxx.xxx.43.134 port 80 > > 14. access-list 101 permit tcp any host xxx.xxx.43.134 eq 443 > > permit anyone to xxx.xxx.43.134 port 443 > > 15. access-list 101 permit icmp any any > > permit ping from anywhere to anywhere > > > > this is applied to a serial interface in. > > we have external DNS and internal SMTP and POP3 and WWW > > > > the lines that are confusing me are 1, 2, and 15 > > it looks to me that at first it is denying redirects and ping but then on > > line 15 it permits everything. is this correct? > > > > Also, if you notice anything else that i don't have right could you please > > mention it as well. > > > > thanks, > > Justin Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36139&t=36131 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]