Yes, that does make sense. Thanx for the detailed reply. I did finally use the following:
conf t int ethernet0/0 no ip access-list extended secure2 ip access-list extended secure2 deny tcp any any eq 6666 deny tcp any any eq 139 permit ip any any int ethernet0/0 ip access-group secure2 out ip access-group secure2 in exit wr Thanx again, Anil Gupte ----- Original Message ----- From: "Tom Petzold" To: "Anil Gupte" ; Sent: Friday, February 22, 2002 11:35 AM Subject: RE: Access Lists are a bit mystifying [7:36164] > Remember the model OSI model. IP can have multiple higher level protocols > running over it. So IP uses protocol numbers to identify the higher level > protocol that it should send the data to. If you do a deny ? on a router > you will see all the different protocols (eigrp, gre, icmp, ospf, pim, tcp, > udp). Once the IP layer passes the packet up to the transport layer the > layer 4 protocol has to know which application to send the data to. So the > TCP protocol will send traffic on port 80 to the web server and traffic to > port 25 to the smtp server. > > Layer 7 - Application > Layer 6 - Presentation > Layer 5 - Session > Layer 4 - Transport Layer 3 - Network Layer 2 - Datalink Layer 1 - Physical > > The first line will not work. IP is the layer 3 protocol, tcp, udp, icmp, > etc are layer 4 protocols. So while tcp and udp have port numbers, ip > doesn't. If I want to deny http traffic I must deny tcp port 80 because > http uses TCP port 80. The same holds true for UDP. If I wanted to deny > snmp traffic I would deny UDP port 161. > > If you set the last line to "permit tcp any any" it would allow any tcp > based traffic but because there is a specific deny all at the end of all > access-lists, you would deny udp, icmp, eigrp, ospf, etc. The permit ip any > any says allow all layer 4 ip protocols. > > Does this make sense? > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Anil Gupte > Sent: Thursday, February 21, 2002 11:24 PM > To: [EMAIL PROTECTED] > Subject: Re: Access Lists are a bit mystifying [7:36164] > > > Actually my question was not clear, I think. My confusion is with the IP > vs. TCP. In other words should it not be somthing like: > > deny ip any any eq 139 > permit ip any any > > Why deny TCP and permit IP as opposed to deny IP and permit IP? > > Also, the purpose of these is that I am trying to block some suspicious > activity on those ports (I think someone may be running an illegal IRC > server on that port). > > Thanx for the reply (and the kid gloves). :-) > Anil Gupte > > ----- Original Message ----- > From: "Scott Nawalaniec" > To: "'Anil Gupte'" ; > Sent: Thursday, February 21, 2002 10:17 PM > Subject: RE: Access Lists are a bit mystifying [7:36164] > > > > Hi Anil, > > > > Sometimes its scaring posting to this group. =) > > > > To answer your question, > > if you don't the permit IP any any command, there is an implicit deny rule > > at the end of an access-list, which will drop all traffic that you have > not > > allowed through the access-list. > > > > The other two deny statements are dropping netbios port 139 and something > > that uses port 6666. > > > > Hope this helps. > > > > Scott > > > > -----Original Message----- > > From: Anil Gupte [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, February 21, 2002 7:59 PM > > To: [EMAIL PROTECTED] > > Subject: Access Lists are a bit mystifying [7:36164] > > > > > > Hi All! > > > > I watch this list occassionally (when I have time). This is my first post > > to this list, so be kind. :p) > > > > In the access list below: > > ************** > > conf t > > int ethernet0/0 > > no ip access-list extended secure2 > > ip access-list extended secure2 > > deny tcp any any eq 6666 > > deny tcp any any eq 139 > > permit ip any any > > > > int ethernet0/0 > > ip access-group secure2 out > > ip access-group secure2 in > > > > exit > > wr > > ************** > > Why is it that you need to deny TCP and permit IP? Or did I not do this > > right? > > > > Thanx, > > Anil Gupte Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36397&t=36164 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
