Re: SMTP access list
Title: SMTP access list I think you need to have the 3rd line because if you do not, then all other traffic will be denied. ""Shahir Boshra"" [EMAIL PROTECTED] wrote in message 8khoes$ch4$[EMAIL PROTECTED]">news:8khoes$ch4$[EMAIL PROTECTED]... Elmer, The router applies the first match and neglects the remaining lines. i.e. in your example, only any traffic from the 3 mentioned sources carrying smtp will be allowed. Note that the last 2 lines are unnecessary, asthe implicit deny any will apply in all cases. To make it clearer, suppose we have something like: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176deny tcp 193.128.233.177 0.0.0.0 any eq smtp access-list 176 permit ip any any The smtp traffic from the mentioned host will be permitted although it's denied in the second line. I hope this helps. Regards, Shahir BoshraTelecommunications SpecialistUSAID - Egypt ""Deloso, Elmer G."" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, all. Just to verify my understanding of extended access-lists: this continues to parse the entries even after a match has already been found, so if the first few lines have a "permit" and later down the last few lines it encounters a "deny", what does the router do? Example: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.23.83.180 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.35.182.133 0.0.0.0 any eq smtp log . . . . access-list 176 deny ip 193.0.0.0 0.255.255.255 any log access-list 176 deny ip 203.0.0.0 0.255.255.255 any log Any help would be greatly appreciated. Elmer Deloso
Re: SMTP access list
Title: SMTP access list Elmer, The router applies the first match and neglects the remaining lines. i.e. in your example, only any traffic from the 3 mentioned sources carrying smtp will be allowed. Note that the last 2 lines are unnecessary, asthe implicit deny any will apply in all cases. To make it clearer, suppose we have something like: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176deny tcp 193.128.233.177 0.0.0.0 any eq smtp access-list 176 permit ip any any The smtp traffic from the mentioned host will be permitted although it's denied in the second line. I hope this helps. Regards, Shahir BoshraTelecommunications SpecialistUSAID - Egypt ""Deloso, Elmer G."" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, all. Just to verify my understanding of extended access-lists: this continues to parse the entries even after a match has already been found, so if the first few lines have a "permit" and later down the last few lines it encounters a "deny", what does the router do? Example: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.23.83.180 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.35.182.133 0.0.0.0 any eq smtp log . . . . access-list 176 deny ip 193.0.0.0 0.255.255.255 any log access-list 176 deny ip 203.0.0.0 0.255.255.255 any log Any help would be greatly appreciated. Elmer Deloso
Re: SMTP access list
the algorithm is designed to exit the moment it finds a match. so, as soon as there is a match, the remaining lines of the access-list are never looked at. "Deloso, Elmer G." wrote: Hi, all. Just to verify my understanding of extended access-lists: this continues to parse the entries even after a match has already been found, so if the first few lines have a "permit" and later down the last few lines it encounters a "deny", what does the router do? Example: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.23.83.180 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.35.182.133 0.0.0.0 any eq smtp log . . . . access-list 176 deny ip 193.0.0.0 0.255.255.255 any log access-list 176 deny ip 203.0.0.0 0.255.255.255 any log Any help would be greatly appreciated. Elmer Deloso ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: SMTP access list
Title: SMTP access list Elmer, The router applies the first match and neglects the remaining lines. i.e. in your example, only any traffic from the 3 mentioned sources carrying smtp will be allowed. Note that the last 2 lines are unnecessary, asthe implicit deny any will apply in all cases. To make it clearer, suppose we have something like: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176deny tcp 193.128.233.177 0.0.0.0 any eq smtp access-list 176 permit ip any any The smtp traffic from the mentioned host will be permitted although it's denied in the second line. I hope this helps. Regards, Shahir BoshraTelecommunications SpecialistUSAID - Egypt ""Deloso, Elmer G."" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, all. Just to verify my understanding of extended access-lists: this continues to parse the entries even after a match has already been found, so if the first few lines have a "permit" and later down the last few lines it encounters a "deny", what does the router do? Example: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.23.83.180 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.35.182.133 0.0.0.0 any eq smtp log . . . . access-list 176 deny ip 193.0.0.0 0.255.255.255 any log access-list 176 deny ip 203.0.0.0 0.255.255.255 any log Any help would be greatly appreciated. Elmer Deloso
Re: SMTP access list
Title: SMTP access list Hi Nope, as soon as a match in the list is made, it is processed, and no longer considered by the ACL. So in your example a packet with a source address of 193.128.233.177 on TCP port 25 it would forwarded/routed to the IP/forwarding interface. HTH-- John Hardman, MCSE+I, CCNAArrisTech/CCS-IS SysAdmin ""Deloso, Elmer G."" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, all. Just to verify my understanding of extended access-lists: this continues to parse the entries even after a match has already been found, so if the first few lines have a "permit" and later down the last few lines it encounters a "deny", what does the router do? Example: access-list 176 permit tcp 193.128.233.177 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.23.83.180 0.0.0.0 any eq smtp log access-list 176 permit tcp 203.35.182.133 0.0.0.0 any eq smtp log . . . . access-list 176 deny ip 193.0.0.0 0.255.255.255 any log access-list 176 deny ip 203.0.0.0 0.255.255.255 any log Any help would be greatly appreciated. Elmer Deloso