access-list
I need some help with IP extended access lists. I have an FTP server on the inside and I need to allow access to it from the outside. There are two ports used, FTP (20) for control and FTP-DATA (21) for the transfer of actual data. When the two sides decide to start data transfer, does the server or the client open the data connection (TCP)? I assume that in passive mode, the client opens the connection and in normal mode, the server opens connection. How is port FTP-DATA used? Is that port always used on the server side? access-list 101 permit tcp any host a.b.c.d eq ftp access-list 101 permit tcp any host a.b.c.d eq ftp-data Will the above work in all cases, where the server has the address a.b.c.d? In one case I saw access-list 101 permit any eq ftp-data host a.b.c.d That is what started me thinking. Some applications using UDP use the same port on both sides, e.g. access-list 102 permit udp any eq isakmp host a.b.c.d eq isakmp allows IPSEC key exchange between the outside and inside. Other examples, I think, are netbios name service (port 137) and netbios datagram service (138). Am I right? Are there other applications using the same port number on either side for UDP service? TIA. Nelluri Reddy _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access-list ?
Hello, What does this access list do? neighbor ?.?.?.? route-map ? in route-map ?-in permit 10 match ip address 5 access-list 5 permit 0.0.0.0 Does it mean permit nothing, or does it mean permit default route? Or am I way off? I think it's there to block everything. Thank You, Andre -- Andre Fecteau Unix Software Engineer [EMAIL PROTECTED] CNE3, 4 & CCNA _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access-list ?
Hello, What does this access list do? neighbor ?.?.?.? route-map ? in route-map ?-in permit 10 match ip address 5 access-list 5 permit 0.0.0.0 Does it mean permit nothing, or does it mean permit default route? Or am I way off? I think it's there to block everything. Thank You, Andre _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access list
to use access list do I need some extra ios feature like IP Plus or something. Swapnil Jain (CNE, MCSE, CCNA) ICQ# 45074571 ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access list
Hi all, I have a router that has 2 ether interface - 0 and 1. 0 connect to outside and 1 to inside. I set up an access list like below: access-list 101 deny any any interface Ethernet0 ip access-group 101 in I expect that will only allow applications like web browser initiate connection from inside but not outside. However, I find both end failed browse through the router. Should I add something like "access-list 101 permit any eq www any" to allow www traffic from ether1 to ether0? Any advice is appreciated. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access-list
when using an extended access-list what is the best way to write the statement? int s0 ip acces-group 113 ! access-list 113 deny tcp any host 2xx.7x.2x.4x eq 3000 log access-list 113 deny tcp any host 2xx.7x.2x.4x eq 3001 log access-list 113 deny udp any host 2xx.7x.2x.4x 0.0.0.0 eq 3000 any log access-list 113 deny udp any host 2xx.7x.2x.4x 0.0.0.0 eq 3001 any log access-list 113 permit ip any any or is there another method to creating this statement..these ports are already allowed 23, 53, 80, 110,1 and 443 but now we need to allow 3000 and 3001 to the allowable ports. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access list
hello, can some one explain the appropriate procedure of both writing an extended and standard access-list eventually, i will be responsible for applying acl's on ourproduction (cisco) routers. here's what i do know standard acl's reference source addresses and extended acl's refence source and destination transport protocols and application protocols are used. Now im ready for an educational journey into acl's. thanks **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access-list
Hi all, We have an access-list that has to allow ony DNS and SMTP traffic to come through. I have configured DNS successfully, but if I configure the Router to allow SMTP traffic to an internal Host.it does not work. If SMTP has to pass I have to open all the TCP ports. Any Sugg. will be welcome Rgds Sanjay Any opinions, express or implied, presented are solely those of the author and do not necessarily represent those of Standard Chartered Group ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access-list
Hi all, We have an access-list that has to allow ony DNS and SMTP traffic to come through. I have configured DNS successfully, but if I configure the Router to allow SMTP traffic to an internal Host.it does not work. If SMTP has to pass I have to open all the TCP ports. Any Sugg. will be welcome Rgds Sanjay Any opinions, express or implied, presented are solely those of the author and do not necessarily represent those of Standard Chartered Group ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access-list ?
Does anyone know of a good resource that explains extended access-list? I'm having problems understanding how to take a range of networks and reduce them in number by summarizing them. For example, if I want to filter out all networks from 24.1.0.0 to 24.20.0.0, how would I determine what inverse mask to use? access-list 101 deny ip 24.1.0.0 ?.?.?.? any I know if I want to filter just 24.1.0.0, I would do access-list 101 deny ip 24.1.0.0 0.0.255.255 any thanks in advance ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list
Nelluri, Comments embedded: On 25 Feb 2001, at 19:31, Nelluri Reddy wrote: > I need some help with IP extended access lists. > > I have an FTP server on the inside and I need to allow access to it > from the outside. There are two ports used, FTP (20) for control and > FTP-DATA (21) for the transfer of actual data. Actually, its the reverse, 21 for control and 20 for ftp-data. > > When the two sides decide to start data transfer, does the server or > the client open the data connection (TCP)? The client always initiates the initial session, although the client _application_ could reside on a physical _server_. IOW, which end is the client or server from the perspective of FTP is which end initiates the connection to port 21 on the other end. A physical box that you call a server could either wait passively for an FTP connection, in which case it is an FTP server, or it could initiate an FTP connection to another device, in which case it would be an FTP client. >I assume that in passive > mode, the client opens the connection and in normal mode, the server > opens connection. In passive mode, the FTP-DATA session is opened from the FTP client to the FTP server. In "standard" FTP, the FTP server opens an active connection to the FTP client, typically from source port 20 to a randomly chosen client port. >How is port FTP-DATA used? Is that port always used > on the server side? In standard FTP mode, the server port is usually port 20, although it need not be per the RFC. In passive mode FTP, the server port is a randomly chosen high-numbered port. > > access-list 101 permit tcp any host a.b.c.d eq ftp > access-list 101 permit tcp any host a.b.c.d eq ftp-data > > Will the above work in all cases, where the server has the address > a.b.c.d? It depends on how the acl is applied, but typically if your using standard FTP there is no need to specify the FTP-DATA session in an inbound acl since a TCP established entry will suffice and is usually required for other traffic. If your using passive mode FTP, this would not suffice for an inbound acl since the client will initiate a connection to a port number which is randomly chosen during the FTP session. Of course, you could use CBAC with the firewall feature set to insure that the correct dynamic entries were created for the FTP- DATA session. For further info on the specifics of FTP and other standard TCP/IP apps, I highly recommend "TCP/IP illustrated vol 1" by Richard Stevens. HTH, Kent _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access list help
_ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access list help
All, For some reason I am having problems with a seemingly simple access-list and any help is extremely appreciated. When I applied the list, It blocked www access (intranet www worked fine) to all except the BDC and the Exchange server. I assume I made a mistake with the wildcard mask. My stub of the intranet is 10.105.190.0 BDC is 10.105.190.10 Exchange server is 10.105.190.246 IP's authorized unrestricted access 10.105.190.8 thru 10.105.190.24 LAN is on e0, WAN on s0 Here are my guidelines in plain English permit all to local intranet permit our BDC to all permit Exchange server to all permit specific block of ip's to all (10.105.190.8 thru 10.105.190.24) deny all others to www permit ip all (for proprietary stuff some of our offices use and I don't currently have the time to see what ports they need) Here is the list I came up with: access-list 101 permit tcp any 10.0.0.0 0.255.255.255 eq www access-list 101 permit ip host 10.105.190.10 any access-list 101 permit ip host 10.105.190.246 any access-list 101 permit ip 10.105.190.8 0.0.0.16 any access-list 101 deny tcp 10.105.190.0 0.0.0.255 any eq www access-list 101 permit ip any any apply to interface e0: en, config t, int e0 ip access-group 101 out ctrl-z Thanks again, Tim _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Special Access List
Hello all, I have a problem that I want to apply user profile on a dial up user as I use AS5300 access server. This may be done by a command or by applying access list on the access server but instead of the source IP I need to use the user name. Any help how to do it? Get free email and a permanent address at http://www.netaddress.com/?N=1 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access list & chat
Dear all, I need to restrict my users to be able to use all chat sevrices and have no browsing or ftp things, how do you think i can built my access list to do so? Do I have to mention host addresses or I can control it through opening access to specific ports only> Thanks for your help Ref _ Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access List question
Hi all, I was just wondering is there a way to specify a range of ip addresses in an access list. Say for instance that I am using an RFC1700 address 192.168.100.0/24 and I want to block ip addresses 192.168.100.100 - 192.168.100.254 from going out to 0.0.0.0 do I have to manually do 154 seperate entries in the access list? Thanks in advance! Eddie -- Edward J. Gomez, MCSE, CNE, CCNA Information Systems Manager ProxyMed, Inc 2555 Davie Road, Suite 110 Fort Lauderdale, Florida 33317 (954) 473-1001 x315 http://www.proxymed.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list ?
Hi, I don't think it does much. I think it will permit all. Teunis Hobart, Tasmania Australia On Tuesday, January 09, 2001 at 02:52:09 PM, [EMAIL PROTECTED] wrote: > Hello, > > What does this access list do? > > neighbor ?.?.?.? route-map ? in > route-map ?-in permit 10 > match ip address 5 > access-list 5 permit 0.0.0.0 > > Does it mean permit nothing, or does it mean permit default route? Or > am I way off? I think it's there to block > everything. > > Thank You, > Andre > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > -- www.tasmail.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list ?
Hi, Tony
I think it will permit only default routes.
Regards
Jaeheon
On 9 Jan 2001 19:38:00 -0500, [EMAIL PROTECTED] ("Tony van Ree")
wrote:
>Hi,
>
>I don't think it does much.
>
>I think it will permit all.
>
>Teunis
>Hobart, Tasmania
>Australia
>
>On Tuesday, January 09, 2001 at 02:52:09 PM, [EMAIL PROTECTED] wrote:
>
>> Hello,
>>
>> What does this access list do?
>>
>> neighbor ?.?.?.? route-map ? in
>> route-map ?-in permit 10
>> match ip address 5
>> access-list 5 permit 0.0.0.0
>>
>> Does it mean permit nothing, or does it mean permit default route? Or
>> am I way off? I think it's there to block
>> everything.
>>
>> Thank You,
>> Andre
>>
>> _
>> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
>> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>>
>>
_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list ?
I also think it will permit all because in access-list
we use wild card bits and 0.0.0.0 simply means
255.255.255.255 which literally means permit all
hope it helps
suaveguru
--- Jaeheon Yoo <[EMAIL PROTECTED]> wrote:
> Hi, Tony
>
> I think it will permit only default routes.
>
> Regards
>
> Jaeheon
>
>
>
> On 9 Jan 2001 19:38:00 -0500, [EMAIL PROTECTED]
> ("Tony van Ree")
> wrote:
>
> >Hi,
> >
> >I don't think it does much.
> >
> >I think it will permit all.
> >
> >Teunis
> >Hobart, Tasmania
> >Australia
> >
> >On Tuesday, January 09, 2001 at 02:52:09 PM,
> [EMAIL PROTECTED] wrote:
> >
> >> Hello,
> >>
> >> What does this access list do?
> >>
> >> neighbor ?.?.?.? route-map ? in
> >> route-map ?-in permit 10
> >> match ip address 5
> >> access-list 5 permit 0.0.0.0
> >>
> >> Does it mean permit nothing, or does it mean
> permit default route? Or
> >> am I way off? I think it's there to block
> >> everything.
> >>
> >> Thank You,
> >> Andre
> >>
> >> _
> >> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> >> Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> >>
> >>
>
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
__
Do You Yahoo!?
Yahoo! Photos - Share your holiday photos online!
http://photos.yahoo.com/
_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list ?
Hi, all
Well, this is from cisco site:
To specify a large number of individual addresses more easily, you can
omit the wildcard if it is all zeros. Thus, the following two
configuration commands are identical in effect:
access-list 2 permit 36.48.0.3
access-list 2 permit 36.48.0.3 0.0.0.0
That is,
access-list 2 permit 0.0.0.0 ---> "permit only defaults"
access-list 3 permit 0.0.0.0 255.255.255.255 ---> "permit all"
You can check it by yourself at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r/iprprt1/1rdip.htm#xtocid124253
watch word wrap
Hope this helps,
Regards
Jaeheon
On 10 Jan 2001 05:10:03 -0500, [EMAIL PROTECTED] (suaveguru)
wrote:
>I also think it will permit all because in access-list
>we use wild card bits and 0.0.0.0 simply means
>255.255.255.255 which literally means permit all
>
>hope it helps
>
>suaveguru
>
>
>--- Jaeheon Yoo <[EMAIL PROTECTED]> wrote:
>> Hi, Tony
>>
>> I think it will permit only default routes.
>>
>> Regards
>>
>> Jaeheon
>>
>>
>>
>> On 9 Jan 2001 19:38:00 -0500, [EMAIL PROTECTED]
>> ("Tony van Ree")
>> wrote:
>>
>> >Hi,
>> >
>> >I don't think it does much.
>> >
>> >I think it will permit all.
>> >
>> >Teunis
>> >Hobart, Tasmania
>> >Australia
>> >
>> >On Tuesday, January 09, 2001 at 02:52:09 PM,
>> [EMAIL PROTECTED] wrote:
>> >
>> >> Hello,
>> >>
>> >> What does this access list do?
>> >>
>> >> neighbor ?.?.?.? route-map ? in
>> >> route-map ?-in permit 10
>> >> match ip address 5
>> >> access-list 5 permit 0.0.0.0
>> >>
>> >> Does it mean permit nothing, or does it mean
>> permit default route? Or
>> >> am I way off? I think it's there to block
>> >> everything.
>> >>
>> >> Thank You,
>> >> Andre
>> >>
>> >> _
>> >> FAQ, list archives, and subscription info:
>> http://www.groupstudy.com/list/cisco.html
>> >> Report misconduct and Nondisclosure violations to
>> [EMAIL PROTECTED]
>> >>
>> >>
>>
>> _
>> FAQ, list archives, and subscription info:
>> http://www.groupstudy.com/list/cisco.html
>> Report misconduct and Nondisclosure violations to
>[EMAIL PROTECTED]
>
>
>__
>Do You Yahoo!?
>Yahoo! Photos - Share your holiday photos online!
>http://photos.yahoo.com/
>
>_
>FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list ?
Actually the implied mask is all 0's - so this acl will only permit a route
which is all 0's - or normally the default route.
Kenny
"suaveguru" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I also think it will permit all because in access-list
> we use wild card bits and 0.0.0.0 simply means
> 255.255.255.255 which literally means permit all
>
> hope it helps
>
> suaveguru
>
>
> --- Jaeheon Yoo <[EMAIL PROTECTED]> wrote:
> > Hi, Tony
> >
> > I think it will permit only default routes.
> >
> > Regards
> >
> > Jaeheon
> >
> >
> >
> > On 9 Jan 2001 19:38:00 -0500, [EMAIL PROTECTED]
> > ("Tony van Ree")
> > wrote:
> >
> > >Hi,
> > >
> > >I don't think it does much.
> > >
> > >I think it will permit all.
> > >
> > >Teunis
> > >Hobart, Tasmania
> > >Australia
> > >
> > >On Tuesday, January 09, 2001 at 02:52:09 PM,
> > [EMAIL PROTECTED] wrote:
> > >
> > >> Hello,
> > >>
> > >> What does this access list do?
> > >>
> > >> neighbor ?.?.?.? route-map ? in
> > >> route-map ?-in permit 10
> > >> match ip address 5
> > >> access-list 5 permit 0.0.0.0
> > >>
> > >> Does it mean permit nothing, or does it mean
> > permit default route? Or
> > >> am I way off? I think it's there to block
> > >> everything.
> > >>
> > >> Thank You,
> > >> Andre
> > >>
> > >> _
> > >> FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > >> Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED]
> > >>
> > >>
> >
> > _
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
>
>
> __
> Do You Yahoo!?
> Yahoo! Photos - Share your holiday photos online!
> http://photos.yahoo.com/
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list ?
Hi,
I must be missing the point.
I thought a default route was telling the device go here for all routes I don't know
about. Does that not imply any not excluded and the access-list as I understand it
does not exclude any until the perfit default which I would take to read permit any.
Teunis
Hobart, Tasmania
Australia
On Wednesday, January 10, 2001 at 01:02:18 AM, suaveguru wrote:
> I also think it will permit all because in access-list
> we use wild card bits and 0.0.0.0 simply means
> 255.255.255.255 which literally means permit all
>
> hope it helps
>
> suaveguru
>
>
> --- Jaeheon Yoo <[EMAIL PROTECTED]> wrote:
> > Hi, Tony
> >
> > I think it will permit only default routes.
> >
> > Regards
> >
> > Jaeheon
> >
> >
> >
> > On 9 Jan 2001 19:38:00 -0500, [EMAIL PROTECTED]
> > ("Tony van Ree")
> > wrote:
> >
> > >Hi,
> > >
> > >I don't think it does much.
> > >
> > >I think it will permit all.
> > >
> > >Teunis
> > >Hobart, Tasmania
> > >Australia
> > >
> > >On Tuesday, January 09, 2001 at 02:52:09 PM,
> > [EMAIL PROTECTED] wrote:
> > >
> > >> Hello,
> > >>
> > >> What does this access list do?
> > >>
> > >> neighbor ?.?.?.? route-map ? in
> > >> route-map ?-in permit 10
> > >> match ip address 5
> > >> access-list 5 permit 0.0.0.0
> > >>
> > >> Does it mean permit nothing, or does it mean
> > permit default route? Or
> > >> am I way off? I think it's there to block
> > >> everything.
> > >>
> > >> Thank You,
> > >> Andre
> > >>
> > >> _
> > >> FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > >> Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED]
> > >>
> > >>
> >
> > _
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
>
>
> __
> Do You Yahoo!?
> Yahoo! Photos - Share your holiday photos online!
> http://photos.yahoo.com/
>
> _
> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
--
www.tasmail.com
_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list ?
Hi, Tony.
I'm not sure I understand correctly what you're trying to say.
But I'd like to point out this:
In this case, access-lists are not used as filters for incoming or
outgoing data packets, but they are used here as filters for incoming
or outgoing routing updates. More specifically, for route entries
contained in routing update pactets.
So default route entry is just one entry here.
Hope this helps
Regards
Jaeheon
On 10 Jan 2001 18:15:43 -0500, [EMAIL PROTECTED] ("Tony van Ree")
wrote:
>Hi,
>
>I must be missing the point.
>
>I thought a default route was telling the device go here for all routes I don't know
>about. Does that not imply any not excluded and the access-list as I understand it
>does not exclude any until the perfit default which I would take to read permit any.
>
>Teunis
>Hobart, Tasmania
>Australia
>
>
>On Wednesday, January 10, 2001 at 01:02:18 AM, suaveguru wrote:
>
>> I also think it will permit all because in access-list
>> we use wild card bits and 0.0.0.0 simply means
>> 255.255.255.255 which literally means permit all
>>
>> hope it helps
>>
>> suaveguru
>>
>>
>> --- Jaeheon Yoo <[EMAIL PROTECTED]> wrote:
>> > Hi, Tony
>> >
>> > I think it will permit only default routes.
>> >
>> > Regards
>> >
>> > Jaeheon
>> >
>> >
>> >
>> > On 9 Jan 2001 19:38:00 -0500, [EMAIL PROTECTED]
>> > ("Tony van Ree")
>> > wrote:
>> >
>> > >Hi,
>> > >
>> > >I don't think it does much.
>> > >
>> > >I think it will permit all.
>> > >
>> > >Teunis
>> > >Hobart, Tasmania
>> > >Australia
>> > >
>> > >On Tuesday, January 09, 2001 at 02:52:09 PM,
>> > [EMAIL PROTECTED] wrote:
>> > >
>> > >> Hello,
>> > >>
>> > >> What does this access list do?
>> > >>
>> > >> neighbor ?.?.?.? route-map ? in
>> > >> route-map ?-in permit 10
>> > >> match ip address 5
>> > >> access-list 5 permit 0.0.0.0
>> > >>
>> > >> Does it mean permit nothing, or does it mean
>> > permit default route? Or
>> > >> am I way off? I think it's there to block
>> > >> everything.
>> > >>
>> > >> Thank You,
>> > >> Andre
>> > >>
>> > >> _
>> > >> FAQ, list archives, and subscription info:
>> > http://www.groupstudy.com/list/cisco.html
>> > >> Report misconduct and Nondisclosure violations to
>> > [EMAIL PROTECTED]
>> > >>
>> > >>
>> >
>> > _
>> > FAQ, list archives, and subscription info:
>> > http://www.groupstudy.com/list/cisco.html
>> > Report misconduct and Nondisclosure violations to
>> [EMAIL PROTECTED]
>>
>>
>> __
>> Do You Yahoo!?
>> Yahoo! Photos - Share your holiday photos online!
>> http://photos.yahoo.com/
>>
>> _
>> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
>> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>>
>>
_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-list ?
_ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access list logging
Hi all, I want to build an access list on a cisco router that will log all the denied traffic to a file/server. Can this be done on the implicit deny statement or I have to define the deny traffic. Thanks Adam __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access list command
Hi what does the "access-list 100 permit ip host 0.0.0.0 host 0.0.0.0" applied to an interface do? Is it only permitting the default route going through ? Thanks in advanced Hubert **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access list command
Hi what does the "access-list 100 permit ip host 0.0.0.0 host 0.0.0.0" applied to an interface do? Is it only permitting the default route going through ? Thanks in advanced Hubert **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
About access-list
Hi, I am just a beginner. I have a question is that should I need to type any command to "enable" using ip extended access-list? It is because when I add an ip access-group for standard access-list on an interface, it works and no side-effect. But when I add an extended access-list on an interface, I even cannot ping out. Thanks Regards, Raymond **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
********* Access List Enquiry **************
Hi All Which one of the access-list is normally use? Example 1 --- access-list 102 permit tcp any host 172.16.0.1 eq 80 access-list 102 permit tcp any host 172.16.0.1 eq 53 Example 2 --- access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 80 access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 53 (notice the gt 1023) I saw from most of the books that Example 1 is common. I don't know what is the normal practice generally Appreciate if anyone can share with me his/her comments. Thanks alot Regards Orion [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ISIS access list?
Hellooo, Me again with the 'orrible ISIS questions. Here goes. Scenario is as below. ROUTER A --- ROUTER B -- ROUTER C --- ROUTER D ROUTER E - ROUTER F O.k. All routers are level 2 only i.e. all in different domains / areas. What I require is for Router C to be able to see D, E & F but not Router B and A. I need Router A & B to be able to see the full network. Oh Router C, D, E & F only run CLNS. My guess is to put an outbound access list of some sort onto Router B. BUT What type of access list. Is it a protocol type list? If so what protocol number should I use. I have tried various i.e. Make Router C a level 1 router --- result --- no adjacancy formed = no clns routes. Passive interface on Router B's connection = no adjacancy formed = no clns routes. Any help, ideas would be most welcome. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list
Jain, No need ,Just standard Ip OS is ok. dean swapnil wrote: > to use access list do I need some extra ios feature like IP Plus or > something. > > Swapnil Jain > (CNE, MCSE, CCNA) > ICQ# 45074571 > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access list editing
Hi everybody. I wonder if someone could assist me. I have to add an entry to an access list with an additional deny all statement at the end so I have to edit the list and bring it back in. I've used both QVT term and Hyperterm to access the router. And I've used Note pad and Word pad to modify the list. I have no problem copy and editing the list. I edit the list, make my new entry and delete the extra deny all. The problem I have is when I try to paste it back. I am doing something stupid here. I keep getting 'Invalid' something as it scrolls by. I have tried coping the buffer. I've tried basic copy and paste but the pasting is where I'm having this problem. I've even tried using the command 'No access-list deny any any', but that just removes the access list from the interface. Can someone enlighten me on what step I'm missing. Thanks everyone. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access List ping
I want to create an access list such that a user can ping out and get a response, but at the same time to be able to not have anyone to ping in. I tried an access list denying icmp for IN on that interface, but that totally stops the pings from going out or in. Any assistance on how I can get this accomplish would be greatly appreciated. Thankx. Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
775 ACCESS LIST
Hi all Does any one know if there are any access lists to configure on the cisco 775 Isdn router? (I have a cisco 775 for the connection to the Internet and I want to block ICQ from my LAN) Jack Svolakis CCNA, CCDA.
FW: Access list
you need the keyword established- but also don't forget to permit the necessary traffic through the interface. Don't need the deny any any- it is implicit anyway -Original Message- From: Jianfeng Wang [mailto:[EMAIL PROTECTED]] Sent: Friday, August 11, 2000 9:59 AM To: [EMAIL PROTECTED] Subject: Access list Hi all, I have a router that has 2 ether interface - 0 and 1. 0 connect to outside and 1 to inside. I set up an access list like below: access-list 101 deny any any interface Ethernet0 ip access-group 101 in I expect that will only allow applications like web browser initiate connection from inside but not outside. However, I find both end failed browse through the router. Should I add something like "access-list 101 permit any eq www any" to allow www traffic from ether1 to ether0? Any advice is appreciated. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access List Question
Can someone explain to me how to interrupt the subnet mask for this access list. permit udp host 194.72.72.33 194.72.6.160 0.0.0.15 Thank you. Rose ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
vty access list
I am aware that access lists have a deny all implicitly applied at the end. I am also aware that if you enable an access list for http access to the switch there is also an implicit deny all at the end. But my question is does this also apply to terminal access list? I would also like to know the proper syntax to apply this list at the line. Is this ok? myrout (config)# access-class 1 permit 1 172.16.1.3 myrout (config)# line vty 0 4 myrout (config-line)# access-class 1 inout My understanding of the "inout" rather than "in" only is to restrict where you can telnet once you are in. By adding the "out" where am I restricting 172.16.1.3 ? Or is it rather that I am allowing 172.16.1.3 to telnet to other device once I am in the line mode? A little confused here. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access-list interpretation
hi, anyone knows how to interpret the access-list below : access-list 101 160.0.0.0 0.255.255.255 255.0.0.0 0.0.0.0 Jason ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access list
That's a pretty open-ended question. I don't think one could answer this in an email. Your best bet is to go to Cisco.com and/or buy some books. A few suggestions would be: Cisco IOS Network Security - Cisco Press CCNA/ACRC Study Guide(s) - Sybex There's also a book by McGraw Hill that's specifically Cisco access-lists, though I haven't read it. Here's some links to get you started: http://www.cisco.com/univercd/cc/td/doc/product/software/ssr83/rpc_r/48383.h tm http://www.cisco.com/univercd/cc/td/doc/product/software/ios112/112cg_cr/5rb ook/5rip.htm http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/s ecur_c/scprt3/scacls.htm Bob - Original Message - From: David Jackson <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, September 10, 2000 9:06 PM Subject: Access list > hello, > > can some one explain the appropriate procedure of both writing an extended > and standard access-list > eventually, i will be responsible for applying acl's on ourproduction > (cisco) routers. > > here's what i do know standard acl's reference source addresses and > extended acl's refence source and destination > transport protocols and application protocols are used. Now im ready for an > educational journey into acl's. > > thanks > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access list
The McGraw-Hill book Bob T mentioned, I have read it and like it a lot. It covers a lot of ground -- access lists and related stuff, and it is concise and readable and has lots of examples in it. Highly recommended. About $29US. Bob W. Recent CCNA/CCDA - Original Message - From: Bob & Karen Timmons <[EMAIL PROTECTED]> To: David Jackson <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Sunday, September 10, 2000 9:48 PM Subject: Re: Access list > That's a pretty open-ended question. I don't think one could answer this > in an email. Your best bet is to go to Cisco.com and/or buy some books. > A few suggestions would be: > > Cisco IOS Network Security - Cisco Press > CCNA/ACRC Study Guide(s) - Sybex > > There's also a book by McGraw Hill that's specifically Cisco access-lists, > though I haven't read it. > > Here's some links to get you started: > > http://www.cisco.com/univercd/cc/td/doc/product/software/ssr83/rpc_r/48383.h > tm > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios112/112cg_cr/5rb > ook/5rip.htm > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/s > ecur_c/scprt3/scacls.htm > > Bob > - Original Message - > From: David Jackson <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Sunday, September 10, 2000 9:06 PM > Subject: Access list > > > > hello, > > > > can some one explain the appropriate procedure of both writing an extended > > and standard access-list > > eventually, i will be responsible for applying acl's on ourproduction > > (cisco) routers. > > > > here's what i do know standard acl's reference source addresses and > > extended acl's refence source and destination > > transport protocols and application protocols are used. Now im ready for > an > > educational journey into acl's. > > > > thanks > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > http://www.groupstudy.com/list/Associates.html > > _ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access list
Incidentally, I have read somewhere--possibly this list--that the McGraw Hill book contains almost all the material necessary to pass the CCNP Security specialization exam. The only exam material that isn't covered in the book is PIX firewall information. Just what I've heard. ~Seth~ CCNA, MCSE, MCP+I, CNE > The McGraw-Hill book Bob T mentioned, I have read it and like it a lot. It > covers a lot of ground -- access lists and related stuff, and it is concise > and readable and has lots of examples in it. Highly recommended. About > $29US. > > Bob W. > Recent CCNA/CCDA **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access list
If you can Get a copy of the Cisco Press "Advanced Cisco Router Configuration", Chapter 3 (IP) and 4 (IPX) deals with Access lists, and helped me understand writing them and also how to apply them with maximum efficiency. Original Message Follows From: David Jackson <[EMAIL PROTECTED]> Reply-To: David Jackson <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Access list Date: Sun, 10 Sep 2000 21:06:06 -0400 hello, can some one explain the appropriate procedure of both writing an extended and standard access-list eventually, i will be responsible for applying acl's on ourproduction (cisco) routers. here's what i do know standard acl's reference source addresses and extended acl's refence source and destination transport protocols and application protocols are used. Now im ready for an educational journey into acl's. thanks **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access-list 101
I have used uncommon subnets vey little, and have forgotten part of my mask stuff. If I have this: Access-lst 101 deny ip 192.189.243.64 255.255.255.192 any I know that the mask is not done the proper way. Can somegive me a refresher on how to get the proper inverse mask for this access list? Thanks /**/ Donald Neisler MCSE, CCNA, ACRC Network Specialists ** This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction, unless specifically agreed otherwise. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect the views or opinions of Capital Institutional Services, Inc. Capital Institutional Services, Inc. accepts no liability for any errors or omissions arising as a result of transmission. Use of this communication by other than intended recipients is prohibited. **
Access List thoughts....
Hi, I was wondering a couple of things and wanted to know if someone could shed some light this. Since, when doing access lists (un-named), you use protocol number ranges (eg.800-899 IPX Std., 100-199 IP ext., etc.)why then do they "require" that you mention the protocol when applying it to the interface (IP access-group..bla bla bla) when by virtue of being forced to use ranges this makes which protocol you are using clear anyway. Or in reverse, why are ranges necessary if you indicate which protocol it is you're using when you apply the list. Also, I am a bit confused as to when you would ever be able to get any use out of using a wildcard mask on the host portion of an IPX address in an access list. What I mean by that is I can understand its use in IP since you assign the Network.Host number but since IPX uses the BIA of the card for the host, the odds of having a range in any kind of sequence seems astronomical. Just some things that were bugging me... thanks. John Mairs = John L. Mairs __ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access List & Catalyst
Title: Access List & Catalyst Hi, all. Is there a way to implement access-lists on Catalyst ports/VLAN's? Just curios because I could not find any reference to ACL in the IOS documentation for the switch. My goal is actually to be able to say to a switch,"Only allow this MAC address to go through this port. Deny any other MACs." This will keep users from just moving workstations from one area and plugging them into another drop. This way, my documentation for hundreds of nodes will remain accurate. Is there a management software that will do this? I haven't yet installed CiscoWorks2000, so if this is the answer, I'd be extatic. Thanks in advance to all responses. Elmer
RE: Access-list
Hi Sanjay, Could you post your list so we can take a look? Irwin -Original Message- From: Sanjay.Padmanabhan [mailto:[EMAIL PROTECTED]] Sent: Friday, July 07, 2000 8:02 AM To: [EMAIL PROTECTED] Subject: Access-list Hi all, We have an access-list that has to allow ony DNS and SMTP traffic to come through. I have configured DNS successfully, but if I configure the Router to allow SMTP traffic to an internal Host.it does not work. If SMTP has to pass I have to open all the TCP ports. Any Sugg. will be welcome Rgds Sanjay Any opinions, express or implied, presented are solely those of the author and do not necessarily represent those of Standard Chartered Group ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access List Question
Is there anyway to remove a specific line from an access list without erasing the entire thing. Thanks in advance. Best Regards, Scott M. Trieste ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
SMTP access list
Title: SMTP access list Hi, all. Just to verify my understanding of extended access-lists: this continues to parse the entries even after a match has already been found, so if the first few lines have a "permit" and later down the last few lines it encounters a "deny", what does the router do? Example: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.23.83.180 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.35.182.133 0.0.0.0 any eq smtp log . . . . access-list 176 deny ip 193.0.0.0 0.255.255.255 any log access-list 176 deny ip 203.0.0.0 0.255.255.255 any log Any help would be greatly appreciated. Elmer Deloso
RE: access-list ?
There are several books on the topics and I maintain a list of on-line resources at http://www.itprc.com/security.htm Irwin -Original Message- From: Ronnie Toolte [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 12, 2000 1:26 PM To: [EMAIL PROTECTED] Subject: access-list ? Does anyone know of a good resource that explains extended access-list? I'm having problems understanding how to take a range of networks and reduce them in number by summarizing them. For example, if I want to filter out all networks from 24.1.0.0 to 24.20.0.0, how would I determine what inverse mask to use? access-list 101 deny ip 24.1.0.0 ?.?.?.? any I know if I want to filter just 24.1.0.0, I would do access-list 101 deny ip 24.1.0.0 0.0.255.255 any thanks in advance ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-list ?
Kent Hundley has authored several books that each have an algorithm for determining the correct mask(s). One of his books deals with Cisco Security, the other with Access Lists. Check out Amazon.com for the exact titles. > -Original Message- > From: Ronnie Toolte [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, July 12, 2000 12:26 PM > To: [EMAIL PROTECTED] > Subject: access-list ? > > > Does anyone know of a good resource that explains extended > access-list? > I'm having problems understanding how to take a range of networks and > reduce them in number by summarizing them. For example, if I want to > filter out all networks from 24.1.0.0 to 24.20.0.0, how would I > determine what inverse mask to use? > > access-list 101 deny ip 24.1.0.0 ?.?.?.? any > > I know if I want to filter just 24.1.0.0, I would do > access-list 101 deny ip 24.1.0.0 0.0.255.255 any > > thanks in advance > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
wildcard in access-list
I have two parts of a large network, the first part using 141.120.0.0 thru 141.120.7.255 and the second part using 141.120.128.0 thru 141.120.135.255. At the router connecting to Internet I want access from outside limited only to these subnets and not to other addresses used. I know that the following will work for TCP: access-list 101 tcp permit any 141.120.0.0 0.0.7.255 access-list 101 tcp permit any 141.120.128.0 0.0.7.255 I want to condesnse this to a single statement as follows: access-list 101 tcp permit any 141.120.0.0 0.0.135.255 Will this work? For example 141.120.9.2 should not be allowed. In binary 141.120.9.2 is 10001101.0000.1001.0010. My understanding of the steps of how the access-list works is : 1) perform a NOT the mask, which gives in binary ..0000. 2) perform an AND between this and the IP address, which gives in binary 10001101.0000.1000. 3) compare the result with the original IP address in the access-list the comparison fails 4) if successful, allow, otherwise drop. so the packet is dropped. Is the above correct? I don't have a lab to test this. I would appreciate any help. Thanks. Nelluri _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access list on 3524
Been trying to put a restrictive access list for telnet on a 3524. The IOS is not the same as our 6500 (obviously I know) and can't find a good example on the cisco page! Just want to restrict telnet from this network to this particular host. network 172.20.20.x /24 host (the 3524) 172.20.10.5 /24 Any assistance would be greatly appreciated! Thanks _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access list help
yes, I see that my wildcard mask is all screwed up, I'm sending this from home and now I'm not sure if it's just a typo on my part or I actually typed it in like that on the router ;-( Tim "Timothy Metz" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IPX SAP access-list
What is this IPX SAP access-list mean ? access-list 1001 deny 640 access-list 1001 permit I fund this in a book and I could not find the service type 640. Thanks _ Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
MIB and Access-list
Is there a Cisco MIB that contains the information of an access-list ? My aim is to obtain the contain of an access-list (in this case, "IP precedence" information) in order to get CAR (Commited Access Rate) statistics on a "class of service" basis. Moreover, is there someone using the CISCO-CB-QOS-MIB successfully ? Thank you in advance for your help. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Help with Access List
Here is the scenario... A 2600 series router is connecting multiple offices in the same location to the Internet. The offices are seperated via VLANs on a Cisco 3500 series switch with ISL Tunk links to the router which is running IP Plus. The IP Subnets are 10.0.1.0, 10.0.2.0, 10.0.3.0, etc with a Class C mask. The router is also NATing the 10.0.x.0 address to a Public IP Pool. The client wants to prevent any traffic from being routed between subnets. (i.e. 10.0.1.0 can not talk to 10.0.2.0 or 10.0.3.0 and vice versa.) What is the access list to prevent the subnets from routing to each other, as well as the correct access group on the sub-interface (inbound or outbound) while not interrupting connectivity to the Internet or the IP Nat pool... Perry
Re: Access list & chat
You can build your access lists without specifying hosts by using "any" as source & destination addresses and specify the ports for FTP & IRC. Web-based chats may be difficult to control, and people use buddy-list programs to chat as well. If you want to stop those, you'll have to find out the ports they use and block those. Don't forget the implicit "Deny All" that's taken for granted with each access list, so after blocking those ports you'll have to insert an allow all statement as well. Hope this helps. Refer to IOS documentation for the exact syntax. Bharat ""Very Gentle Guy"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Dear all, > > I need to restrict my users to be able to use all chat sevrices and have no > browsing or ftp things, how do you think i can built my access list to do > so? > > Do I have to mention host addresses or I can control it through opening > access to specific ports only> > > Thanks for your help > Ref > _ > Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access list & chat
Are you using a PIX? ""Very Gentle Guy"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Dear all, > > I need to restrict my users to be able to use all chat sevrices and have no > browsing or ftp things, how do you think i can built my access list to do > so? > > Do I have to mention host addresses or I can control it through opening > access to specific ports only> > > Thanks for your help > Ref > _ > Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access list & chat
I think you need an extended access list for this. try this and it should block browsing and ftp'ing and allow all other traffic out of your specified interface; Router#conf t Router(config)#access-list 110 deny tcp to eq Router(config)#access-list 110 deny tcp to eq Router(config)#access-list 110 permit ip any any Router(config)#int e0 Router(config-if)#access-group 110 out Akin -Original Message- From: Very Gentle Guy [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 07, 2000 2:26 PM To: [EMAIL PROTECTED] Subject: Access list & chat Dear all, I need to restrict my users to be able to use all chat sevrices and have no browsing or ftp things, how do you think i can built my access list to do so? Do I have to mention host addresses or I can control it through opening access to specific ports only> Thanks for your help Ref _ Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ * NOTE: The information in this email is confidential and may be legally privileged. If you are not the intended recipient, you must not read, use or disseminate that information. Although this email and any attachments are believed to be free of any virus, or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by Rowe & Maw for any loss or damage arising in any way from receipt or use thereof. Rowe & Maw 20 Black Friars Lane London EC4V 6HD Rowe & Maw is a solicitors' partnership. A list of the names of partners is open to inspection at the above office. ** _ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List question
You can do it based on subnet. If you could narrow down the largest legal subnet in the block of ips you wanted to deny then block the left over ones with a smaller subnet or individuals. Good planning and design says things like this should fall on subnet lines. andy On Wed, 13 Dec 2000, Edward Gomez wrote: > Hi all, > > I was just wondering is there a way to specify a range of ip addresses in an > access list. Say for instance that I am using an RFC1700 address > 192.168.100.0/24 and I want to block ip addresses 192.168.100.100 - > 192.168.100.254 from going out to 0.0.0.0 do I have to manually do 154 > seperate entries in the access list? > > Thanks in advance! > > Eddie > > -- > Edward J. Gomez, MCSE, CNE, CCNA > Information Systems Manager > ProxyMed, Inc > 2555 Davie Road, > Suite 110 > Fort Lauderdale, Florida 33317 > (954) 473-1001 x315 > http://www.proxymed.com > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List question
Edward, You can configure a single access list for the last 128 addresses (129 thru 254). Then another access list could be used for say 97 thru 128. You need to think in binary to do this, 100 is not an easy binary number to deal with! Regards James Kilby Project Engineer Professional Services EMEA +44 (0) 7730 711 428 [EMAIL PROTECTED] C I S C O S Y S T E M S - Original Message - From: Edward Gomez <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 13, 2000 2:36 PM Subject: Access List question > Hi all, > > I was just wondering is there a way to specify a range of ip addresses in an > access list. Say for instance that I am using an RFC1700 address > 192.168.100.0/24 and I want to block ip addresses 192.168.100.100 - > 192.168.100.254 from going out to 0.0.0.0 do I have to manually do 154 > seperate entries in the access list? > > Thanks in advance! > > Eddie > > -- > Edward J. Gomez, MCSE, CNE, CCNA > Information Systems Manager > ProxyMed, Inc > 2555 Davie Road, > Suite 110 > Fort Lauderdale, Florida 33317 > (954) 473-1001 x315 > http://www.proxymed.com > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List question
Caslow's book Cisco Certification ISBN 0-13-082537-9 pp877-679 contains an acces-list algorithmn -- can be improved. Following may work for your example to block 192.168.100.100 - 192.168.100.254 permit 192.168.100.255 0.0.0.0 -- broadcast deny 192.168.100.960.0.0.31 -- 96->127 deny 192.168.100.128.127 0.0.0.127 -- 129->255 permit any -- all other "Andy Walden" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > You can do it based on subnet. If you could narrow down the largest legal > subnet in the block of ips you wanted to deny then block the left over > ones with a smaller subnet or individuals. Good planning and design says > things like this should fall on subnet lines. > > andy > > On Wed, 13 Dec 2000, Edward Gomez wrote: > > > Hi all, > > > > I was just wondering is there a way to specify a range of ip addresses in an > > access list. Say for instance that I am using an RFC1700 address > > 192.168.100.0/24 and I want to block ip addresses 192.168.100.100 - > > 192.168.100.254 from going out to 0.0.0.0 do I have to manually do 154 > > seperate entries in the access list? > > > > Thanks in advance! > > > > Eddie > > > > -- > > Edward J. Gomez, MCSE, CNE, CCNA > > Information Systems Manager > > ProxyMed, Inc > > 2555 Davie Road, > > Suite 110 > > Fort Lauderdale, Florida 33317 > > (954) 473-1001 x315 > > http://www.proxymed.com > > > > _ > > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List question
Andy and Edward are both correct. It is much easier if you were trying to block address that fall on specific subnet blocks. To specifically block your range 192.168.100.100 - 192.168.100.254 you would need: The basic concept of access list wildcard masks is that any 0 in the mask means the address bit has to match, and any 1 in the mask means you don't care. access-list 1 permit 192.168.100.255 0.0.0.0 <--- allow broadcast access-list 1 deny 192.168.100.128 0.0.0.127 <--- deny hosts 128 through 254 access list 1 deny 192.168.100.112 0.0.0.15 <--- deny hosts 112 - 127 access-list 1 deny 192.168.100.104 0.0.0.7 <--- deny hosts 104 - 111 access-list 1 deny 192.168.100.100 0.0.0.3 <--- deny hosts 100 - 104 access-list 1 permit any any <--- allow everything else So in binary terms, the deny statements look like this: 192 . 168 . 100 . 128 Address 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 1 1 0 0 1 0 0 . 1 0 0 0 0 0 0 0 Wildcard 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 1 1 1 1 1 1 1 0 . 0 . 0 . 127 192 . 168 . 100 . 112 Address 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 1 1 0 0 1 0 0 . 0 1 1 1 0 0 0 0 Wildcard 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0 1 1 1 1 0 . 0 . 0 . 15 192 . 168 . 100 . 104 Address 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 1 1 0 0 1 0 0 . 0 1 1 0 1 0 0 0 Wildcard 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0 0 1 1 1 0 . 0 . 0 . 7 192 . 168 . 100 . 100 Address 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 1 1 0 0 1 0 0 . 0 1 1 0 0 1 0 0 Wildcard 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 1 1 0 . 0 . 0 . 3 Then you apply the access list to the interface like so.. interface Ethernet0 access-group 1 <--- apply access-list 1 (outbound by default) Hope this helps... Scott McClure, CCNP, CCDA, MCNE -- When I disagree with a rational man, I let reality be our final arbiter; If I am right, he will learn, If I am wrong, I will; one of us will win, but both of us will profit. - John Galt ""Joseph H Marti"" <[EMAIL PROTECTED]> wrote in message 918b5e$7qs$[EMAIL PROTECTED]">news:918b5e$7qs$[EMAIL PROTECTED]... > Caslow's book Cisco Certification ISBN 0-13-082537-9 pp877-679 contains an > acces-list algorithmn -- can be improved. Following may work for your > example to block 192.168.100.100 - 192.168.100.254 > > permit 192.168.100.255 0.0.0.0 -- broadcast > deny 192.168.100.960.0.0.31 -- 96->127 > deny 192.168.100.128.127 0.0.0.127 -- 129->255 > permit any -- all other > > "Andy Walden" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > You can do it based on subnet. If you could narrow down the largest legal > > subnet in the block of ips you wanted to deny then block the left over > > ones with a smaller subnet or individuals. Good planning and design says > > things like this should fall on subnet lines. > > > > andy > > > > On Wed, 13 Dec 2000, Edward Gomez wrote: > > > > > Hi all, > > > > > > I was just wondering is there a way to specify a range of ip addresses > in an > > > access list. Say for instance that I am using an RFC1700 address > > > 192.168.100.0/24 and I want to block ip addresses 192.168.100.100 - > > > 192.168.100.254 from going out to 0.0.0.0 do I have to manually do 154 > > > seperate entries in the access list? > > > > > > Thanks in advance! > > > > > > Eddie > > > > > > -- > > > Edward J. Gomez, MCSE, CNE, CCNA > > > Information Systems Manager > > > ProxyMed, Inc > > > 2555 Davie Road, > > > Suite 110 > > > Fort Lauderdale, Florida 33317 > > > (954) 473-1001 x315 > > > http://www.proxymed.com > > > > > > _ > > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > > > _ > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List question
Awe, you gotta let the guy do his own work. He doesn't learn from cutting and pasting... andy On Wed, 13 Dec 2000, Scott McClure, CCNP, CCDA, MCNE wrote: > Andy and Edward are both correct. It is much easier if you were trying to > block address that fall on specific subnet blocks. To specifically block > your range 192.168.100.100 - 192.168.100.254 you would need: > > The basic concept of access list wildcard masks is that any 0 in the mask > means the address bit has to match, and any 1 in the mask means you don't > care. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List question
hmmm, perhaps some comments? depends on your needs, you could... deny addresses 192.168.100.100 - 255 ? deny 192.168.100.128/25 denies 128-255 deny 192.168.100.100/30 denies 100-103 deny 192.168.100.104/28 denies 104-119 deny 192.168.100.120/29 denies 120-127 permit all or you could, permit 192.168.100.0/26 permits 0-63 permit 192.168.100.64/27 permits 64-95 permit 192.168.100.96/40 permits 96-99 implicit deny hmm, now that i think about, there must be another way. Hmmm am i seeing this right? comments please. _ Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List question
My apologies. I'm new to this group. I just thought since he was starting from the point of denying each individual address that a little more in-depth explanation was in order. After your reply though, I thought about it, and would not want someone just to give me the answer. OK, I guess at times I wished they would, but I supposed I am better in the long run just figuring it out... character building and all that... Scott "Andy Walden" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Awe, you gotta let the guy do his own work. He doesn't learn from cutting > and pasting... > > andy > > On Wed, 13 Dec 2000, Scott McClure, CCNP, CCDA, MCNE wrote: > > > Andy and Edward are both correct. It is much easier if you were trying to > > block address that fall on specific subnet blocks. To specifically block > > your range 192.168.100.100 - 192.168.100.254 you would need: > > > > The basic concept of access list wildcard masks is that any 0 in the mask > > means the address bit has to match, and any 1 in the mask means you don't > > care. > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access List/EIGRP Problem
Hi everybody, I am having an issue with the following access list. I am trying to put an ACL on my frame router that can limit which network inside my company a partner can access. I basically want any traffic coming from 192.168.50.0 to be able to go to 192.168.5.0. When I apply the access list nothing gets through. If I ping a remote address I get a TTL expired in transit. I am running EIGRP between the routers. Do I need to have an access list that allows access to the LAN side for EIGRP updates? or is this done via the WAN port? What am I doing wrong here?? ip access-list extended FrameInbound deny ip host 0.0.0.0 any permit ip 192.168.50.0 0.0.0.255 192.168.5.0 0.0.0.255 I have also tried: permit ip 192.168.50.0 0.0.0.255 host 192.168.5.0 and that did not work either. Thanks in advance!!! Eddie -- Edward J. Gomez, MCSE, CNE, CCNA Information Systems Manager ProxyMed, Inc 2555 Davie Road, Suite 110 Fort Lauderdale, Florida 33317 (954) 473-1001 x315 http://www.proxymed.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Confused by access-list
The following is an access-list entered on a Cisco router: access-list 135 deny tcp 172.16.16.0 0.0.15.255 172.16.32.0 0.0.15.255 eq telnet access-list 135 permit ip any any br>Which of the following would not apply if this access-list is used to control incoming packets on ethernet 0? A. address 172.16.1.1 will be denied telnet access to address 172.16.37.5 B. address 172.16.16.1 will be permitted telnet access to address 172.16.32.1 C. address 172.16.16.1 will be permitted telnet access to address 172.16.50.1 D. address 172.16.30.12 will be permitted telnet access to address 172.16.32.12 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access-list block sizes
What are the "valid" access-list block sizes? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access list on bridging
Hello Everybody, I would like to insert an access list between two Fastethernet ports at Cisco 2621 but here the important criteria is there will be no ip routing in the router just only the bridging protocol must be running.Could it be possible use access list over the interfaces which are just only running bridging? I would like to get your opinions. Murat KIRMACI CCNA -- _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list logging
At 10:50 AM 1/16/2001 -0800, Adam Wang wrote: >Hi all, > >I want to build an access list on a cisco router that >will log all the denied traffic to a file/server. Can >this be done on the implicit deny statement or I have >to define the deny traffic. At the bottom of your access list, add a "access-list xxx deny ip any any log" and the configure logging on the router to log to a syslog server. Brian _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list logging
I guess you need to explicitly defined in the access-list as you need a log keyword after each line of access-list to log activities on access list suaveguru --- Adam Wang <[EMAIL PROTECTED]> wrote: > Hi all, > > I want to build an access list on a cisco router > that > will log all the denied traffic to a file/server. > Can > this be done on the implicit deny statement or I > have > to define the deny traffic. > > Thanks > > > > Adam > > __ > Do You Yahoo!? > Get email at your own domain with Yahoo! Mail. > http://personal.mail.yahoo.com/ > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: access-list debugs
Interesting. If I have a named access-list, it would appear I cannot do a debug Debug ip packet ? (1-199) access-list (1300-2699) access list extended range detail (cr) Chuck http://www.1112.net/lastpage.html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-list debugs
Chuck.. HELP!!! I believe in this list I was reading that when an you do an debug IP Packet... in the later IOS releases it automatically changes for a fast switching to a processor switching... No I am looking through the achrives... and cant find the messages.. so 1. Do you remember the thread? 2. Is it true? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chuck Larrieu Sent: Friday, January 19, 2001 11:29 AM To: Cisco Mail List Subject: FW: access-list debugs Interesting. If I have a named access-list, it would appear I cannot do a debug Debug ip packet ? (1-199) access-list (1300-2699) access list extended range detail (cr) Chuck http://www.1112.net/lastpage.html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list command
""Hubert Pun"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi > > what does the "access-list 100 permit ip host 0.0.0.0 host 0.0.0.0" > applied to an interface do? I can't think that it would do anything useful. The "host" keyword means "match all bits", so the clause would only be applied to packets with a source address *and* destination address of *exactly* 0.0.0.0, not to all packets. And even if, for some ridiculous/impossible reason, you had assigned a host the address 0.0.0.0, why would it be sending itself IP packets, and why would those packets ever leave its NIC and hit the router? My guess: Somebody saw that "host" is the same as "mask 0.0.0.0" and forgot that that means *wildcard* mask, not *subnet* mask. **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list command
I think that would let all traffic through Duck - Original Message - From: Hubert Pun <[EMAIL PROTECTED]> To: Cisco Study Group <[EMAIL PROTECTED]> Sent: Monday, September 25, 2000 10:16 AM Subject: access list command > Hi > > what does the "access-list 100 permit ip host 0.0.0.0 host 0.0.0.0" > applied to an interface do? > > Is it only permitting the default route going through ? > > Thanks in advanced > > Hubert > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access list command
No getlemen... that access list would actually deny everything by itself. The reason for this is the symantic mistake in the statement. You have specified the key word host. This means that it's going to permit your packet if your host ip is 0.0.0.0 (will never happen) and only if it goes to a destination box with the ip of 0.0.0.0 (which once again will never happen). Since the deny any any is an implicit statement no traffic would cross that ACL. Your initial statement may be re-written as follows: "access-list 100 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255. Remember wild masks when using ACLs. Had you specified the the following: "access-list 101 permit ip 0.0.0.0 0.0.0.0 any" then it would let everything pass because the wild-mask encompasses the entire available IP.V4 network. Hope this cleared up some of the confusion. -KSG (NP,DP,IE) > -Original Message- > From: Donald B Johnson Jr [SMTP:[EMAIL PROTECTED]] > Sent: Monday, September 25, 2000 5:31 PM > To: Hubert Pun; Cisco Study Group > Subject: Re: access list command > > I think that would let all traffic through > Duck > - Original Message - > From: Hubert Pun <[EMAIL PROTECTED]> > To: Cisco Study Group <[EMAIL PROTECTED]> > Sent: Monday, September 25, 2000 10:16 AM > Subject: access list command > > > > Hi > > > > what does the "access-list 100 permit ip host 0.0.0.0 host 0.0.0.0" > > applied to an interface do? > > > > Is it only permitting the default route going through ? > > > > Thanks in advanced > > > > Hubert > > > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > http://www.groupstudy.com/list/Associates.html > > _ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list command
I'm not currently near any routers where I can test this, but my guess is it will not let any traffic through. "host" means a specific machine with the IP address of 0.0.0.0 I attended public schools so don't flame me if I'm wrong, but I think this list is denying all packets without a 0.0.0.0 source address. > > > > Hi > > > > what does the "access-list 100 permit ip host 0.0.0.0 host 0.0.0.0" > > applied to an interface do? > > > > Is it only permitting the default route going through ? > > > > Thanks in advanced > > > > Hubert **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list command
How is the access list used? access group? route map? distribute list? filter list? depending on how it's used depends on what it does. It could deny all traffic. Deny all route updates except the default route, or allow all routes except default routes. Before anyone questions that last one, a deny route map would reverse the expected result. Rodgers Moore ""Hubert Pun"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi > > what does the "access-list 100 permit ip host 0.0.0.0 host 0.0.0.0" > applied to an interface do? > > Is it only permitting the default route going through ? > > Thanks in advanced > > Hubert > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list command
Hi Group, is there somekind of Access-List How To somewhere that you can refer me to? And also, to the ones who helped me install BGP, it works like a charm. Thank you for your advice! MGR **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: About access-list
If you are trying to create an access-list that blocks incoming icmp (pings) then you must allow icmp echo replies back in. Are you sure you are not sending pings out and they are simply not allowed to return? Check that first (with debugs on both ends) Another possibility would be that you need to include the "established" parameter to inbound lists. Of course these are just guesses since we do not have a copy of your access-list or it's stated intentions. I know this answer sounds a bit cryptic, but it is intended to give you the key words you need to look it up. Louie "Thinking is man's only basic virtue, from which all others proceed. And his basic vice, the source of all his evils, is that nameless act which all of you practice, but struggle never to admit... the refusal to think; not blindness, but the refusal to see; not ignorance, but the refusal to know." - John Galt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Raymond Mak Sent: Tuesday, September 26, 2000 1:42 PM To: [EMAIL PROTECTED] Subject: About access-list Hi, I am just a beginner. I have a question is that should I need to type any command to "enable" using ip extended access-list? It is because when I add an ip access-group for standard access-list on an interface, it works and no side-effect. But when I add an extended access-list on an interface, I even cannot ping out. Thanks Regards, Raymond **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access list command
Try this for a start. http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/1cprt2/1cip.htm#xtocid1182915 Martin-Guy Richard wrote: > > Hi Group, is there somekind of Access-List How To somewhere that you can > refer me to? > > And also, to the ones who helped me install BGP, it works like a charm. > Thank you for your advice! > > MGR > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: About access-list
Hi, Once I apply the extended list on an interface for "IN" traffic, is it implicitly block all incoming traffic on that interface? I also want to know, for example. access-list 110 permit tcp any any neq telnet 1. ip access-group 110 in 2. ip access-group 110 out For 1, the source (any) would be internal network, destination (any) would be outside. Is it, for 2, the source would be outside network, destination would be internal network? Am I wrong with this kind of "point of view"? Thanks Raymond Raymond Mak wrote: > Hi, > > I am just a beginner. I have a question is that should I need to type > any command to "enable" using ip extended access-list? > It is because when I add an ip access-group for standard access-list on > an interface, it works and no side-effect. But when I add an extended > access-list on an interface, > I even cannot ping out. > > Thanks > > Regards, > Raymond > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: About access-list
You are correct in your assumptions. The only thing that you have to watch out for it the "any" key word. I usually filter the traffic for a particular interface if possible. This way you can help prevent spoofing. Neil "Raymond Mak" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, > > Once I apply the extended list on an interface for "IN" traffic, is it > implicitly block all incoming traffic on that interface? > > I also want to know, for example. > access-list 110 permit tcp any any neq telnet > > 1. ip access-group 110 in > 2. ip access-group 110 out > > For 1, the source (any) would be internal network, destination (any) would > be outside. > Is it, for 2, the source would be outside network, destination would be > internal network? > Am I wrong with this kind of "point of view"? > Thanks > > Raymond > > > Raymond Mak wrote: > > > Hi, > > > > I am just a beginner. I have a question is that should I need to type > > any command to "enable" using ip extended access-list? > > It is because when I add an ip access-group for standard access-list on > > an interface, it works and no side-effect. But when I add an extended > > access-list on an interface, > > I even cannot ping out. > > > > Thanks > > > > Regards, > > Raymond > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > http://www.groupstudy.com/list/Associates.html > > _ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: About access-list
-Original Message- From: Abruzzese, John Sent: Wednesday, September 27, 2000 8:14 AM To: Raymond Mak Subject: RE: About access-list When you apply an access-list to an interface all traffic, for instance in-bound, is blocked. After specifying what address(s) you wanted to filter did you end the ACL with a "access-list 101 permit ip any any" in other words at the very bottom to allow all other in-bound traffic? -Original Message- From: Raymond Mak [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 27, 2000 12:19 PM To: [EMAIL PROTECTED] Subject: Re: About access-list Hi, Once I apply the extended list on an interface for "IN" traffic, is it implicitly block all incoming traffic on that interface? I also want to know, for example. access-list 110 permit tcp any any neq telnet 1. ip access-group 110 in 2. ip access-group 110 out For 1, the source (any) would be internal network, destination (any) would be outside. Is it, for 2, the source would be outside network, destination would be internal network? Am I wrong with this kind of "point of view"? Thanks Raymond Raymond Mak wrote: > Hi, > > I am just a beginner. I have a question is that should I need to type > any command to "enable" using ip extended access-list? > It is because when I add an ip access-group for standard access-list on > an interface, it works and no side-effect. But when I add an extended > access-list on an interface, > I even cannot ping out. > > Thanks > > Regards, > Raymond > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access-list and switching
Title: Access-list and switching Hi, group. Is there a way to implement access-list type of security on Catalyst 2924? I know that to do Layer -3 switching will need at least the 4000 series. Short of implementing a VLAN, is there a way I can tell the port or switch to allow only certain IP address to go to certain servers connected to a specific switch in the intranet? I would think that this is possible considering that these switches are assigned an IP address. NOTE: the CLSC book actually mentions that "LAN switches may use custom filters to provide access control based on source/destination address, protocol type packet length..." Please someone tell me what I'm missing. Sincere thanks to the forum. Elmer
Re: ********* Access List Enquiry **************
I think it is the normal practice because historically that was the only capability which routers had (filtering on destination ports) and as the IOS became more capable people were either unsure, or reluctant to change their ways. The second example is more secure, and to take it a step further (towards tighter security) I would filter on established too (where appropriate). The gt 1023 refers to the random high numbered port that a hosts assigns for the response to any packet sent to a well known port. Another observation of your example is that you are filtering on TCP port 53. TCP port 53 is only used for zone transfers between a 2ndry and a primary DNS server. Normal lookups, the type done by the majority of hosts on the net, use UDP port 53. Tom At 10:28 PM 10/30/2000 +0800, GNOME wrote: >Hi All > >Which one of the access-list is normally use? > >Example 1 >--- >access-list 102 permit tcp any host 172.16.0.1 eq 80 >access-list 102 permit tcp any host 172.16.0.1 eq 53 > > >Example 2 >--- >access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 80 >access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 53 >(notice the gt 1023) > >I saw from most of the books that Example 1 is common. I don't know what is >the normal practice generally >Appreciate if anyone can share with me his/her comments. Thanks alot > >Regards >Orion >[EMAIL PROTECTED] > > > > >_ >FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > Tom Pruneau Trainer Network Operations GENUITY 3 Van de Graff Drive Burlington Ma. 01803 24 Hr. Network Operations Center 800-436-8489 If you need to get a hold of me my hours are 7AM-3PM ET Mon-Fri --- This email is composed of 82% post consumer recycled data bits --- "Once in a while you get shown the light in the strangest of places if you look at it right" _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ********* Access List Enquiry **************
Example 1 is most common. Example 2 is a little more picky. Realistically a connect that is sourced to web or DNS should originate on a non-privledged port (>=1024) so this just makes sure of that. I don't go thru that kind of intensiveness in my ACL'sI feel that checking the destination port/address is good enough. Brian On Mon, 30 Oct 2000, GNOME wrote: > Hi All > > Which one of the access-list is normally use? > > Example 1 > --- > access-list 102 permit tcp any host 172.16.0.1 eq 80 > access-list 102 permit tcp any host 172.16.0.1 eq 53 > > > Example 2 > --- > access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 80 > access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 53 > (notice the gt 1023) > > I saw from most of the books that Example 1 is common. I don't know what is > the normal practice generally > Appreciate if anyone can share with me his/her comments. Thanks alot > > Regards > Orion > [EMAIL PROTECTED] > > > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- Brian Feeny, CCNP, CCDP [EMAIL PROTECTED] Network Administrator ShreveNet Inc. (ASN 11881) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ********* Access List Enquiry **************
Well, In any circumstance, whatever device who generate traffic to any target, this device will use the port number greater than 1023 as the "From port #" and the "destination port #" will be specific like "80" or "53" etc... when the target device receive this packet, it will swap their "form port #" to "destination port #" and vica versa so the example 1 and example 2 are exactly the same. As far as your example concern, your access list is for incoming traffic. Sam Li = GNOME <[EMAIL PROTECTED]> wrote in message 8tk0jn$e29$[EMAIL PROTECTED]">news:8tk0jn$e29$[EMAIL PROTECTED]...> Hi All> > Which one of the access-list is normally use?> > Example 1> ---> access-list 102 permit tcp any host 172.16.0.1 eq 80> access-list 102 permit tcp any host 172.16.0.1 eq 53> > > Example 2> ---> access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 80> access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 53> (notice the gt 1023)> > I saw from most of the books that Example 1 is common. I don't know what is> the normal practice generally> Appreciate if anyone can share with me his/her comments. Thanks alot> > Regards> Orion> [EMAIL PROTECTED]> > > > > _> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ********* Access List Enquiry **************
Tom, great answer but I think you will find that TCP 53 is used for large lookups and some tools that that do lookups. Generally as you say TCP 53 is zone... but NOT always. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tom Pruneau Sent: Sunday, January 20, 1980 9:26 PM To: GNOME; [EMAIL PROTECTED] Subject: Re: * Access List Enquiry ** I think it is the normal practice because historically that was the only capability which routers had (filtering on destination ports) and as the IOS became more capable people were either unsure, or reluctant to change their ways. The second example is more secure, and to take it a step further (towards tighter security) I would filter on established too (where appropriate). The gt 1023 refers to the random high numbered port that a hosts assigns for the response to any packet sent to a well known port. Another observation of your example is that you are filtering on TCP port 53. TCP port 53 is only used for zone transfers between a 2ndry and a primary DNS server. Normal lookups, the type done by the majority of hosts on the net, use UDP port 53. Tom At 10:28 PM 10/30/2000 +0800, GNOME wrote: >Hi All > >Which one of the access-list is normally use? > >Example 1 >--- >access-list 102 permit tcp any host 172.16.0.1 eq 80 >access-list 102 permit tcp any host 172.16.0.1 eq 53 > > >Example 2 >--- >access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 80 >access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 53 >(notice the gt 1023) > >I saw from most of the books that Example 1 is common. I don't know what is >the normal practice generally >Appreciate if anyone can share with me his/her comments. Thanks alot > >Regards >Orion >[EMAIL PROTECTED] > > > > >_ >FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > Tom Pruneau Trainer Network Operations GENUITY 3 Van de Graff Drive Burlington Ma. 01803 24 Hr. Network Operations Center 800-436-8489 If you need to get a hold of me my hours are 7AM-3PM ET Mon-Fri --- This email is composed of 82% post consumer recycled data bits --- "Once in a while you get shown the light in the strangest of places if you look at it right" _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
DNS and access-list
I want to allow a particular server to do DNS queries such that when they type www.cisco.com or something like that, it will go to the specify DNS server and find the ip address. I have an access list allowing port 53 for tcp and udp and it doesn't work. Can anyone help. Thanks. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISIS access list?
I believe you made the point, but can you confirm that your routing clns with your IS-IS config? And if so, are you looking to block the clnp routes from the other routers? or all Interface(s) on each router ? Can you clarify? There also seems to be some dual isis going on (router A?B?) Thanks Pete *** REPLY SEPARATOR *** On 11/15/2000 at 3:22 PM McCallum, Robert wrote: >Hellooo, > >Me again with the 'orrible ISIS questions. Here goes. > >Scenario is as below. > > >ROUTER A --- ROUTER B -- ROUTER C --- ROUTER D ROUTER E >- ROUTER F > >O.k. All routers are level 2 only i.e. all in different domains / areas. >What I require is for Router C to be able to see D, E & F but not Router B >and A. >I need Router A & B to be able to see the full network. > >Oh Router C, D, E & F only run CLNS. > >My guess is to put an outbound access list of some sort onto Router B. BUT >What type of access list. Is it a protocol type list? If so what protocol >number should I use. > >I have tried various i.e. Make Router C a level 1 router --- result --- no >adjacancy formed = no clns routes. Passive interface on Router B's >connection = no adjacancy formed = no clns routes. > >Any help, ideas would be most welcome. > >_ >FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access-list [7:9292]
Hi Folks, I have a doubt about access-lists. I have the following topology: Router A Ethernet 0 10.0.0.1 | | 10.0.0.2 FastEth0 Router B Serial 0.1 192.168.1.1 | | 192.168.1.2 Serial 0.1 Router C I wanted to block telnet TO and FROM network 10.0.0.0. I created an access-list as follows: ip access-list extended LAN deny tcp any any eq telnet permit ip any any Applied it to Router B on Fast Ethernet 0 interface this way: interface FastEthernet0 ip access-group LAN in ip access-group LAN out Doing this I really blocked telnet from network 10.0.0.0 to routers B and C. I also blocked router C from telneting to router A (or any other host on network 10.0.0.0). But, surprisingly to me, I'm still able to telnet Router A from Router B! My question is: since I blocked telnet traffic on the interface Fast Ethernet 0 on router B for inbound and outbound, shouldn't this block my telnets from B to A?? What is missing here? Thanks in advance! Ednilson Rosa CCNA Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=9292&t=9292 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access list.. [7:13564]
What mask would be used if you want to create an access list where the IP addresses (128.252.0.0 to 128.252.240.0) would be blocked pls support with explanation, Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=13564&t=13564 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access-list [7:17097]
hi , hi i have made a access list to restrict telnet on my router from other network but when i implemented on vty it was no working .Pls help the acesslist wass access-list 55 permit 202.157.78.0 0.0.0.128 line vty 0 4 access-class 55 in but it restricted the whole network Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17097&t=17097 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access-list [7:17291]
hi , hi i have made a access list to restrict telnet on my router from other network but when i implemented on vty it was no working .Pls help the acesslist wass access-list 55 permit 202.157.78.0 0.0.0.128 line vty 0 4 access-class 55 in i just want that my 202.157.78.0 to 128 should be able to telnet my router none other than it will be allowed telnet my router thanx kaushalender Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17291&t=17291 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access-list [7:28188]
Folx, A)I got 2 networks connected by a router.I apply access-group for both in and out of the interface. Is my assumption correct? 1)The access list for "in" would be processed when the packet leaves that interface to diff network? 2)The access list for "out" would be processed when the packet arrives from different network? But in case of Pix..why there is only "in"? cheers Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=28188&t=28188 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: SMTP access list
Title: SMTP access list
I think you need to have the 3rd line because if you do not,
then all other traffic will be denied.
""Shahir Boshra"" <[EMAIL PROTECTED]> wrote in
message 8khoes$ch4$[EMAIL PROTECTED]">news:8khoes$ch4$[EMAIL PROTECTED]...
Elmer,
The router applies the first match and neglects
the remaining lines.
i.e. in your example, only any traffic from the 3
mentioned sources & carrying smtp will be allowed. Note that the last
2 lines are unnecessary, as the implicit deny any will apply in all
cases.
To make it clearer, suppose we have something
like:
access-list 176 permit
tcp 193.128.233.177 0.0.0.0 any eq smtp log
access-list 176 deny
tcp 193.128.233.177 0.0.0.0 any eq smtp
access-list 176 permit ip
any any
The smtp traffic from the mentioned host will be
permitted although it's denied in the second line.
I hope this helps.
Regards,
Shahir BoshraTelecommunications
SpecialistUSAID - Egypt
""Deloso, Elmer G."" <[EMAIL PROTECTED]> wrote in
message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Hi, all. Just
to verify my understanding of extended access-lists: this continues to parse
the entries even after a match has
already been found, so if the first few lines have a "permit" and later down
the last few lines it encounters a "deny", what does the router
do?
Example: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log
access-list 176 permit tcp 203.23.83.180
0.0.0.0 any eq smtp log access-list 176
permit tcp 203.35.182.133 0.0.0.0 any eq smtp log . . . . access-list 176 deny ip 193.0.0.0 0.255.255.255 any
log access-list 176 deny ip 203.0.0.0
0.255.255.255 any log
Any help would be greatly appreciated.
Elmer Deloso
Re: Access List Question
I'm sorry Mohamed, I have to disagree that this is not possible with Cisco IOS. All of the advice I've seen so far is true to Standard & Extended ACL's. BUT, with Named Access Lists (=/> IOS 11.2) you can dynamically change the list, but you must disable the ACL wherever it's applied, and re-enable it after the change (personal experience). Named Access List Example The following configuration creates a standard access list named Internet_filter and an extended access list named marketing_group: interface Ethernet 1 ip address 2.0.5.1 255.255.255.0 ip access-group Internet_filter out ip access-group marketing_group in ... ip access-list standard Internet_filter permit 1.2.3.4 deny any ip access-list extended marketing_group permit tcp any 171.69.0.0 0.0.255.255 eq telnet deny tcp any any permit icmp any any deny udp any 171.69.0.0 0.0.255.255 lt 1024 deny ip any any log ... I will say that I never say (yeesh, what a sentence!) NEVER so, I could be just as wrong as right! R/ Rainman Mohamed Abubakkar Siddiqu wrote: > It is not possible in Cisco. > > But one stupid Idea. > > U just transfer the configuration into TFTP server. > Edit the Configuration and transfer back. > > regards > siddiqu .T > > -- > T. Mohamed Abubakkar Siddiqu CCNA > > "Scott M. Trieste" <[EMAIL PROTECTED]> wrote: > > Is there anyway to remove a specific line from an access list without > > erasing the entire thing. Thanks in advance. > > > > Best Regards, > > > > Scott M. Trieste > > > > > > ___ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > __ > FREE voicemail, email, and fax...all in one place. > Sign Up Now! http://www.onebox.com > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VTY Access List Control
I am not sure about the correct commands for vty access control. Is the following command correct to permit any device from network 192.88.54.0 to establish a virtual terminal session with the router? line vty 0 4 access-list 12 permit 192.88.54.0 0.0.0.255 line vty 0 4 access-class 12 in thanks mjs
