Paltitha,
Ben is right. I suggest you reading up more on CISCO ACLs.
CISCO ACLs works by going through from line 1 to the last line line. (line
by line, from 1 to 7) Ping has already been permited rule 5, thus a permit
any any is not necessary and definitely not advisable.
By replacing the line permit ip any any, all ip packets that are not
rejected by rule 1 will be permitted through. If that is your intention, you
can also leave out lines 2->6 because they are all made redundant by "permit
ip any any". Not a good idea, cause all ip packets will be allow through.
By default, CISCO's has a hidden last rule, which is deny any any. This rule
is automatically inserted after the last rule. The permit ip any any
overwrite the hidden rule .
Regards,
Nic
.. not a CCNA
-----Original Message-----
From: Palitha Weerakkody [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 21, 2000 9:46 AM
To: 'Ben Nagy'; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Access-Lists
Hi Ben,
You seems to be a champ,
Well, could you add this to your router access list " deny ip any any log "
and try to Ping. If you can't ping can I I ask you to read about protocol
again before you start fielding questions. ICMP rely on IP.
Thanks
Palitha
-----Original Message-----
From: Ben Nagy [mailto:[EMAIL PROTECTED]]
Sent: Monday, 21 August 2000 10:41
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: Access-Lists
> -----Original Message-----
> From: Palitha Weerakkody
> [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 21 August 2000 9:37 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: Access-Lists
>
>
> Hi intekhab,
>
> I'm also new to this field.
> 1. access-list 121 deny ip X.X.X.0 0.0.0.192 any log
> 2. access-list 121 permit tcp any host X.X.X.X eq 25 log
> 3. access-list 121 permit tcp any host X.X.X.X eq 53 log
> 4. access-list 121 permit udp any host X.X.X.X eq 53 log
> 5. access-list 121 permit icmp any any log
> 6. access-list 121 permit tcp any any log
> 7. access-list 121 deny ip any any log
>
> as far as my understanding When you block IP You can't ping. so try "
> access-list 121 permit ip any any log ".
>
> on your rule 1 you deny ip access to specific host or subnet
> but rule 7 you
> deny ip to all. so I think no point putting rule 1. same with
> rule 2, 3 and
> 4 because you permit tcp to all on rule 6. I think you
> shouldn't permit tcp
> any any, only allow what you want. someone can correct me if
> I am wrong.
OK - you're wrong. 8)
Rule 1 denies access _FROM_ a specific subnet - I'm assuming that it's an
anti-spoof thing.
Rule 7 is an explicit default deny - it's not neccessary, but it makes
things clearer.
You're right - rules 2 and 3 are redundant, but rule 4 isn't - rule 4 is
UDP, which won't be permitted by rule 6.
Rule 5 allows ICMP, so ping should work. Adding permit ip any any statements
is a pretty poor idea.
Rule 6 is probably a bad idea too - so you got that bit right. Permit tcp
any any established would probably be better.
It's a pretty open set of ACLs, so there's no reason why they wouldn't work
for ping and HTTP is everything else is right (routing works, ACL applied in
the right place etc etc).
Looks like someone's already offered to help out-of-band though, so it's a
router issue from here.
>
> Thanks
>
> Palitha
> MCP CCNA
>
I don't want to stifle your helpful instincts, but I think you should expand
your ACL knowledge a fair bit before you start fielding questions..
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
