FW: About access-list
-Original Message- From: Abruzzese, John Sent: Wednesday, September 27, 2000 8:14 AM To: Raymond Mak Subject: RE: About access-list When you apply an access-list to an interface all traffic, for instance in-bound, is blocked. After specifying what address(s) you wanted to filter did you end the ACL with a "access-list 101 permit ip any any" in other words at the very bottom to allow all other in-bound traffic? -Original Message- From: Raymond Mak [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 27, 2000 12:19 PM To: [EMAIL PROTECTED] Subject: Re: About access-list Hi, Once I apply the extended list on an interface for "IN" traffic, is it implicitly block all incoming traffic on that interface? I also want to know, for example. access-list 110 permit tcp any any neq telnet 1. ip access-group 110 in 2. ip access-group 110 out For 1, the source (any) would be internal network, destination (any) would be outside. Is it, for 2, the source would be outside network, destination would be internal network? Am I wrong with this kind of "point of view"? Thanks Raymond Raymond Mak wrote: > Hi, > > I am just a beginner. I have a question is that should I need to type > any command to "enable" using ip extended access-list? > It is because when I add an ip access-group for standard access-list on > an interface, it works and no side-effect. But when I add an extended > access-list on an interface, > I even cannot ping out. > > Thanks > > Regards, > Raymond > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: About access-list
You are correct in your assumptions. The only thing that you have to watch out for it the "any" key word. I usually filter the traffic for a particular interface if possible. This way you can help prevent spoofing. Neil "Raymond Mak" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, > > Once I apply the extended list on an interface for "IN" traffic, is it > implicitly block all incoming traffic on that interface? > > I also want to know, for example. > access-list 110 permit tcp any any neq telnet > > 1. ip access-group 110 in > 2. ip access-group 110 out > > For 1, the source (any) would be internal network, destination (any) would > be outside. > Is it, for 2, the source would be outside network, destination would be > internal network? > Am I wrong with this kind of "point of view"? > Thanks > > Raymond > > > Raymond Mak wrote: > > > Hi, > > > > I am just a beginner. I have a question is that should I need to type > > any command to "enable" using ip extended access-list? > > It is because when I add an ip access-group for standard access-list on > > an interface, it works and no side-effect. But when I add an extended > > access-list on an interface, > > I even cannot ping out. > > > > Thanks > > > > Regards, > > Raymond > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > http://www.groupstudy.com/list/Associates.html > > _ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: About access-list
Hi, Once I apply the extended list on an interface for "IN" traffic, is it implicitly block all incoming traffic on that interface? I also want to know, for example. access-list 110 permit tcp any any neq telnet 1. ip access-group 110 in 2. ip access-group 110 out For 1, the source (any) would be internal network, destination (any) would be outside. Is it, for 2, the source would be outside network, destination would be internal network? Am I wrong with this kind of "point of view"? Thanks Raymond Raymond Mak wrote: > Hi, > > I am just a beginner. I have a question is that should I need to type > any command to "enable" using ip extended access-list? > It is because when I add an ip access-group for standard access-list on > an interface, it works and no side-effect. But when I add an extended > access-list on an interface, > I even cannot ping out. > > Thanks > > Regards, > Raymond > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: About access-list
If you are trying to create an access-list that blocks incoming icmp (pings) then you must allow icmp echo replies back in. Are you sure you are not sending pings out and they are simply not allowed to return? Check that first (with debugs on both ends) Another possibility would be that you need to include the "established" parameter to inbound lists. Of course these are just guesses since we do not have a copy of your access-list or it's stated intentions. I know this answer sounds a bit cryptic, but it is intended to give you the key words you need to look it up. Louie "Thinking is man's only basic virtue, from which all others proceed. And his basic vice, the source of all his evils, is that nameless act which all of you practice, but struggle never to admit... the refusal to think; not blindness, but the refusal to see; not ignorance, but the refusal to know." - John Galt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Raymond Mak Sent: Tuesday, September 26, 2000 1:42 PM To: [EMAIL PROTECTED] Subject: About access-list Hi, I am just a beginner. I have a question is that should I need to type any command to "enable" using ip extended access-list? It is because when I add an ip access-group for standard access-list on an interface, it works and no side-effect. But when I add an extended access-list on an interface, I even cannot ping out. Thanks Regards, Raymond **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
About access-list
Hi, I am just a beginner. I have a question is that should I need to type any command to "enable" using ip extended access-list? It is because when I add an ip access-group for standard access-list on an interface, it works and no side-effect. But when I add an extended access-list on an interface, I even cannot ping out. Thanks Regards, Raymond **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]