The key is to know which header the list statement is being applied to. Ports (source and destination) are a part of a TCP header or a UDP header. They are a means of identifying the application that is being multiplexed at the Transport Layer.
IP headers do not have ports--they have source and destination addresses (logical addresses, of course--not physical). Look here-- http://www.rfc-editor.org/cgi-bin/rfcsearch.pl RFC791 is IP and has that lovely ASCII art header in paragraph 3.1. For TCP, the number is RFC793, also paragraph 3.1. UDP is RFC768--surprise! the header is right at the beginning. HTH Annlee ""Anil Gupte"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Actually my question was not clear, I think. My confusion is with the IP > vs. TCP. In other words should it not be somthing like: > > deny ip any any eq 139 > permit ip any any > > Why deny TCP and permit IP as opposed to deny IP and permit IP? > > Also, the purpose of these is that I am trying to block some suspicious > activity on those ports (I think someone may be running an illegal IRC > server on that port). > > Thanx for the reply (and the kid gloves). :-) > Anil Gupte > > ----- Original Message ----- > From: "Scott Nawalaniec" > To: "'Anil Gupte'" ; > Sent: Thursday, February 21, 2002 10:17 PM > Subject: RE: Access Lists are a bit mystifying [7:36164] > > > > Hi Anil, > > > > Sometimes its scaring posting to this group. =) > > > > To answer your question, > > if you don't the permit IP any any command, there is an implicit deny rule > > at the end of an access-list, which will drop all traffic that you have > not > > allowed through the access-list. > > > > The other two deny statements are dropping netbios port 139 and something > > that uses port 6666. > > > > Hope this helps. > > > > Scott > > > > -----Original Message----- > > From: Anil Gupte [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, February 21, 2002 7:59 PM > > To: [EMAIL PROTECTED] > > Subject: Access Lists are a bit mystifying [7:36164] > > > > > > Hi All! > > > > I watch this list occassionally (when I have time). This is my first post > > to this list, so be kind. :p) > > > > In the access list below: > > ************** > > conf t > > int ethernet0/0 > > no ip access-list extended secure2 > > ip access-list extended secure2 > > deny tcp any any eq 6666 > > deny tcp any any eq 139 > > permit ip any any > > > > int ethernet0/0 > > ip access-group secure2 out > > ip access-group secure2 in > > > > exit > > wr > > ************** > > Why is it that you need to deny TCP and permit IP? Or did I not do this > > right? > > > > Thanx, > > Anil Gupte Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36169&t=36164 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
