RE: acess list question
deny should come before permit also to deny ftp not only must you block port 20 but also port 21 (ftp-data) Jason Yee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sisqo Sent: Tuesday, November 14, 2000 11:08 AM To: [EMAIL PROTECTED] Subject: acess list question Access-list 101 permit ip any any Access-list 101 deny tcp any any eq ftp Why did the above list FAIL to prevent FTP? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: acess list question
- Original Message - From: A. Geoffrey Cauchi Access-lists are sequential, use deny before permit!! Well, not exactly. I would re-phrase this and say, "Put more specific before less specific." Let's say I want to permit host 1.2.3.4/24, and deny the rest of the subnet 1.2.3.0/24. If I stuck to putting deny before permit, my host wouldn't get through. However, if I stick to putting more specific before less specific, my host gets through, and all others get blocked. -BJ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: acess list question
Access-lists are sequential, use deny before permit!! Furthermore, you have to apply them to the relevant interface from where the requests are coming. Geoff - Original Message - From: "Sisqo" <[EMAIL PROTECTED]> Newsgroups: groupstudy.cisco To: <[EMAIL PROTECTED]> Sent: Tuesday, November 14, 2000 4:08 AM Subject: acess list question > Access-list 101 permit ip any any > Access-list 101 deny tcp any any eq ftp > > Why did the above list FAIL to prevent FTP? > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: acess list question
remember a successful connection requires both ftp and ftp-data to be allowed thru.. Bri On Mon, 13 Nov 2000, Brian wrote: > > Access lists are only parsed until a match is made. The first line will > match ftp, as well as all other tcp/ip traffic. You need to reverse the > order of your lines: > > Access-list 101 deny tcp any any eq ftp > Access-list 101 permit ip any any > > > brian > > > > On Mon, 13 Nov 2000, Sisqo wrote: > > > Access-list 101 permit ip any any > > Access-list 101 deny tcp any any eq ftp > > > > Why did the above list FAIL to prevent FTP? > > > > > > _ > > FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > --- > Brian Feeny, CCNP, CCDP [EMAIL PROTECTED] > Network Administrator > ShreveNet Inc. (ASN 11881) > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: acess list question
thanks jason and chuck, for reminding us to think of the order of processing in acess-list...lawrence >From: Jason Baker <[EMAIL PROTECTED]> >Reply-To: Jason Baker <[EMAIL PROTECTED]> >To: "'Sisqo'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] >Subject: RE: acess list question >Date: Tue, 14 Nov 2000 16:20:05 +1100 >MIME-Version: 1.0 >Received: from [208.32.175.78] by hotmail.com (3.2) with ESMTP id >MHotMailBBDA184300C5D821EEDCD020AF4E12B724; Mon Nov 13 21:33:32 2000 >Received: from localhost (mail@localhost)by groupstudy.com (8.9.3/8.9.3) >with SMTP id AAA01121;Tue, 14 Nov 2000 00:27:51 -0500 >Received: by groupstudy.com (bulk_mailer v1.12); Tue, 14 Nov 2000 00:23:27 >-0500 >Received: (from listserver@localhost)by groupstudy.com (8.9.3/8.9.3) id >AAA00360GroupStudy Mailer; Tue, 14 Nov 2000 00:23:27 -0500 >Received: from mel-mail01.davnet.com.au (mel-mail01.davnet.com.au >[202.53.45.12])by groupstudy.com (8.9.3/8.9.3) with ESMTP id >AAA00333GroupStudy Mailer; Tue, 14 Nov 2000 00:23:20 -0500 >Received: by mel-mail01.davnet.com.au with Internet Mail Service >(5.5.2650.21)id <40TVSAKD>; Tue, 14 Nov 2000 16:20:10 +1100 >From [EMAIL PROTECTED] Mon Nov 13 21:34:22 2000 >Message-ID: ><[EMAIL PROTECTED]> >X-Mailer: Internet Mail Service (5.5.2650.21) >Sender: [EMAIL PROTECTED] >Precedence: bulk > >try reversing the accesslist :).. in access lists if it matches >the rule then it is processed and no more processing.. >line 2 becomes line 1, and line 1 becomes line 2.. try it out :) > >your first line says permit all ip... which includes FTP :). > > >Regards, > >Jason Baker >Network Engineer >MCSE, CCNA, > > >-Original Message- >From: Sisqo [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, November 14, 2000 2:08 PM >To: [EMAIL PROTECTED] >Subject: acess list question > > >Access-list 101 permit ip any any >Access-list 101 deny tcp any any eq ftp > >Why did the above list FAIL to prevent FTP? > > >_ >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > >_ >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: acess list question
try reversing the accesslist :).. in access lists if it matches the rule then it is processed and no more processing.. line 2 becomes line 1, and line 1 becomes line 2.. try it out :) your first line says permit all ip... which includes FTP :). Regards, Jason Baker Network Engineer MCSE, CCNA, -Original Message- From: Sisqo [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 14, 2000 2:08 PM To: [EMAIL PROTECTED] Subject: acess list question Access-list 101 permit ip any any Access-list 101 deny tcp any any eq ftp Why did the above list FAIL to prevent FTP? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: acess list question
Access lists are only parsed until a match is made. The first line will match ftp, as well as all other tcp/ip traffic. You need to reverse the order of your lines: Access-list 101 deny tcp any any eq ftp Access-list 101 permit ip any any brian On Mon, 13 Nov 2000, Sisqo wrote: > Access-list 101 permit ip any any > Access-list 101 deny tcp any any eq ftp > > Why did the above list FAIL to prevent FTP? > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- Brian Feeny, CCNP, CCDP [EMAIL PROTECTED] Network Administrator ShreveNet Inc. (ASN 11881) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: acess list question
at what layer does the second line work, as opposed to the first line? therein lies your answer Chuck "Sisqo" <[EMAIL PROTECTED]> wrote in message 8uq9lf$75v$[EMAIL PROTECTED]">news:8uq9lf$75v$[EMAIL PROTECTED]... > Access-list 101 permit ip any any > Access-list 101 deny tcp any any eq ftp > > Why did the above list FAIL to prevent FTP? > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
