I think it's the ICMP type/code.
Thanks,
Zsombor
dave petit wrote:
>
> I have an access list (101) on my router that is tied to a
> cable modem
> network.
> The access list contains the following icmp deny statment. It
> seems to
> workok.
> The question is; what
I have an access list (101) on my router that is tied to a cable modem
network.
The access list contains the following icmp deny statment. It seems to
workok.
The question is; what the heck does (3/13) mean in the log line??
Thanks!!
from access-list 101:
access-list 101 deny icmp any any
Hello all,
I need some help with ACL's. What my goal is to allow VNP traffic in
to my network to one firewall (Static IP address). Also I want to allow
traffic out of my FE 0/1 interface out to the net using "established"
access lists. The services I want to let out are.
HTTP
HTTPS
SMTP
Conduits are global and access lists are interface specific. Go with access
lists.
At 09:11 PM 7/17/2003 +, E. Keith J. wrote:
>Hi all
>
>
>
>The boss wants to allow ping.
>
>In the website I found the way by using an access list.
>
>In another con
PROTECTED] On Behalf Of
Lynne Padgett
Sent: July 17, 2003 7:09 PM
To: [EMAIL PROTECTED]
Subject: RE: Access list or Conduit? [7:72514]
I agree. If I recall correctly, this change was implemented in the
later
versions of 5.x and conduits aren't used at all in the 6.x versions.
Cisco
did this
EMAIL PROTECTED]
Subject: RE: Access list or Conduit? [7:72514]
my understanding is conduits are the same as access lists but are being
phased out and replaced by access lists so that syntax is more uniform
across platforms.
-Original Message-
From: E. Keith J. [mailto:[EMAIL PROT
]
Subject: Access list or Conduit? [7:72514]
Hi all
The boss wants to allow ping.
In the website I found the way by using an access list.
In another config I see a conduit is used.
What is the difference between using a conduit and an access list to allow
ping
Is it that a conduit is to
me-exceeded (trace routes), source-quench (so
you can see icmp messages). Also allow icmp echo's (type 8) outbound. You
will then be able to ping stuff on the net, but they can't ping you.
see this sample...
!create list
access-list corp_internet_allowed_in permit icmp any any echo-reply
a
ss-lists and I'm not concerned that support for ACL's is
disappearing anytime soon.
Only thing I'd say is that I've read you can experience some very weird and
unexpected results if you mix an access list and conduits together. Go with
all one or all of the other.
Mark
-Orig
Hi all
The boss wants to allow ping.
In the website I found the way by using an access list.
In another config I see a conduit is used.
What is the difference between using a conduit and an access list to allow
ping
Is it that a conduit is to a specific host
Rather than permit
Yep - Good call :-)
Sorry
Bikespace
""Dimitrije"" wrote in message
news:[EMAIL PROTECTED]
> if .150 is inclusive, within the permitted range, then add 1 additional
> permit
> statement:
> permit host 192.100.34.150
>
> Bikespace wrote:
>
>
if .150 is inclusive, within the permitted range, then add 1 additional
permit
statement:
permit host 192.100.34.150
Bikespace wrote:
> I think the:
>
> access-list 10 permit 192.100.34.97 0.0.0.31
> should be
> access-list 10 permit 192.100.34.96 0.0.0.31
> as 97 isn't t
I think the:
access-list 10 permit 192.100.34.97 0.0.0.31
should be
access-list 10 permit 192.100.34.96 0.0.0.31
as 97 isn't the network address, but this means adding another line at the
start to disallow 96.
I'll stick by my previous effort for the moment:
deny 192.100.34.96 0.0.
, 2003 12:01 PM
To: [EMAIL PROTECTED]
Subject: RE: Access-list ?? [7:71696]
Craig,
The problem as I see it is you need to allow 50 hosts, to pass through an
ACL but the 50 hosts you want to pass are difficult to "mask out" with a
simple ACL.
The previous answers provided might be correct
Yep - I need to RTFQ :-)
How about this (reversed):
deny 192.100.34.96 0.0.0.3
permit 192.100.34.96 0.0.0.31
permit 192.100.34.128 0.0.0.15
permit 192.100.34.144 0.0.0.3
permit 192.100.34.148 0.0.0.1
Bikespace
""Bikespace"" wrote in message
news:[EMAIL PROTECTED]
> Here's a weary stab at it. I
trying to filter on source AND
destination address and do not need to filter by protocol, just source, so I
recomend a standard access-list, like I have listed below. There are
several ways to "slice it up" here is just one.
access-list 10 deny host 192.100.34.97
access-list 10 deny host
Here's a weary stab at it. I'll probably regret rushing through this, but at
least you'll get your answer when someone corrects me :-)
I would think there has got to be a better way. Need someone who does it in
binary. My head doesn't cut the mustard with the wildcard masks.
permit 192.100.34.96 0
is interesting. Obviously one solution is to deny the 50
>>hosts with 50 deny statements.
Since he wants to block all *except* the range of 50, wouldn't this be a
better option?
access-list 110 permit ip 192.100.34.100 0.0.0.3 ! 100-103
access-list 110 permit ip 192.100.34.104 0.0.
Janó van Deventer wrote:
>
> > At 11:05 PM 6/30/2003 +, Shibu Nair wrote:
> > >Hi
> > >
> > >Can somebody let me know what exact keyword (not icmp type
> > number) should
> > >be used
> > >to enable the incoming access
t; hosts with 50 deny statements.
>
> Will this solution work? It uses 12 statements.
>
> access-list 110 deny ip host 192.100.34.110
> access-list 110 deny ip host 192.100.34.111
> access list 110 deny ip 192.100.34.112 0.0.0.16
> access-list 110 deny ip 192.100.34.128 0.0.0.16
>
> At 11:05 PM 6/30/2003 +, Shibu Nair wrote:
> >Hi
> >
> >Can somebody let me know what exact keyword (not icmp type
> number) should
> >be used
> >to enable the incoming access-list for trace route unix
> application to work
> >fine...
> >
&g
This is interesting. Obviously one solution is to deny the 50 hosts with 50
deny statements.
Will this solution work? It uses 12 statements.
access-list 110 deny ip host 192.100.34.110
access-list 110 deny ip host 192.100.34.111
access list 110 deny ip 192.100.34.112 0.0.0.16
access-list 110
You might try the below:
access-list 10 deny 192.100.34.96 0.0.0.3
access-list 10 deny 192.100.34.151 0.0.0.0
access-list 10 deny 192.100.34.152 0.0.0.7
access-list 10 permit 192.100.34.96 0.0.0.31
access-list 10 permit 192.100.34.128 0.0.0.31
The 1st three lines block the unwanted
Hi,
try 'ttl-exceeded' and 'port-unreachable'.
Thanks,
Zsombor
At 11:05 PM 6/30/2003 +, Shibu Nair wrote:
>Hi
>
>Can somebody let me know what exact keyword (not icmp type number) should
>be used
>to enable the incoming access-list for trace route uni
ALL-
I know you have answered this question before, but I hope somewhere in your
4th of July heart you can help me.
I have a 1600 router running a 12021 IP PLUS --- I have tried to add
access-lists to block all sites incoming except 192.100.34.100-150.
Can someone help with the correct lists.
T
Hi
Can somebody let me know what exact keyword (not icmp type number) should
be used
to enable the incoming access-list for trace route unix application to work
fine...
I know UDP should be allowed for outgoing and ICMP should be allowed for
the incoming...
Looking for the incoming side icmp
ALL-
I know you have answered this question before, but I hope somewhere in your
4th of July heart you can help me.
I have a 1600 router running a 12021 IP PLUS --- I have tried to add
access-lists to block all sites incoming except 192.100.34.100-150.
Can someone help with the correct lists.
T
Hi,
try 'ttl-exceeded' and 'port-unreachable'.
Thanks,
Zsombor
At 11:05 PM 6/30/2003 +, Shibu Nair wrote:
>Hi
>
>Can somebody let me know what exact keyword (not icmp type number) should
>be used
>to enable the incoming access-list for trace route uni
ALL-
I know you have answered this question before, but I hope somewhere in your
4th of July heart you can help me.
I have a 1600 router running a 12021 IP PLUS --- I have tried to add
access-lists to block all sites incoming except 192.100.34.100-150.
Can someone help with the correct lists.
T
Hi
Can somebody let me know what exact keyword (not icmp type number) should
be used
to enable the incoming access-list for trace route unix application to work
fine...
I know UDP should be allowed for outgoing and ICMP should be allowed for
the incoming...
Looking for the incoming side icmp
Silly thing to overlook, but best to check anyway is that you have applied
the ACL to the correct interface
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70053&t=70022
--
FAQ, list archives, and subscription info: http://www.group
This is possible because you are using win2k now and if that is the case
for AD stuff you need to open port 445 also.
-Original Message-
From: jmullins1 [mailto:[EMAIL PROTECTED]
Sent: Monday, June 02, 2003 4:52 PM
To: [EMAIL PROTECTED]
Subject: PIX access-list [7:70022]
I'm tryi
entries in the access-list:
access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 135
access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 137
access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 138
access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 139
When I perf
Yes, it looks like the non-contigious access-list does indeed work. I've
implemented it
today on a production network with VoIP telephones and haven't (at least
yet) received
any reports of poor voice quality..
The actual access-list used:
access-list 101 permit ip any 10.10.0.2
work fine.
>
> You can also test this out by sending a constant data stream via ftp or
> something and then start a voice conversation.
>
> ""dj"" wrote in message
> news:[EMAIL PROTECTED]
> > I'm setting up LLQ over hub-'n-spoke frame-relay WA
> following funky looking access-list to mark voice packets for the high
> priority queue. This access-list logically works, but my question is:
> Is this legal?
> access-list 101 permit ip any 10.10.X.201 0.0.255.248 precedence
> critical
>
> I have 8 IP phones at each remote si
I'm setting up LLQ over hub-'n-spoke frame-relay WAN and want to use the
following funky looking access-list to mark voice packets for the high
priority queue. This access-list logically works, but my question is:
Is this legal?
access-list 101 permit ip any 10.10.X.201 0.0.255.248
does it NAT
first, or check the outgoing access list ??
Thanks in advance
Andrew Larkins
BCom, CCNP, CCDP, CSS1
Bytes Technology Networks
A Division of Bytes Technology Group : Registration No: 1911/003874/06
A Member of the Altron Group
P O Box 748, Rivonia, 2128
3 Eglin Rd, The Crescent, Sunnin
Can't think of a reason why you would use the three lines. As far as I know
(unless there are any little tricks or gotchas) this does make the first two
redundant.
Gareth
""Charlie Wehner"" wrote in message
news:[EMAIL PROTECTED]
> Two quick questions:
>
>
I found the answer to question 2:
"It's not usually a good idea to configure logging for access list entries
that will match very large numbers of packets. Doing so will cause log files
to grow excessively large, and may cut into system performance. However,
access list log message
Two quick questions:
I've configured an access-list to only permit certain tcp and udp ports
above 1024. At the end of the access-list I have the following commands:
access-list 101 deny tcp any any log
access-list 101 deny udp any any log
access-list 101 deny ip any any log
Question 1:
It is my understanding that cisco will be discontinuing support for the
conduit function in the near future. You should migrate those statements to
ACLs especially using ios 6.2. I had some unusual difficulties using a few
conduits with 6.2.
""Aaron Ajello"" wrote in message
news:[EMAIL PROTECTE
I recently inherited responsibility for a Pix - version 6.2(2). It's
configured with conduits and I'm thinking about changing them all to access
lists a litte bit down the line, after I do the research and really learn
what I'm doing. The reason being access lists seem easier to organize, read
an
92.17.77.0.
However, it won't deny the networks in between.
Let's say you used access-list 11 deny 192.17.73.0 0.0.4.255
73 is 0100 1001
77 is 0100 1101
They differ in the 2^2 position, 4 in decimal. So that's where you'll want a
wildcard (don't-care) bit value in the mask
>
> Hope that helps.
>
> Robert
>
> ""Jason Steig"" wrote in message
> news:[EMAIL PROTECTED]
> > Hello i networks 192.17.73.0 - 192.17.77.0
> >
> > is there anyway to deny these networks with one entry in an
> access list?
>
lculator at the
following link.
http://www.boson.com/promo/utilities/wildcard/wildcard.htm
Hope that helps.
Robert
""Jason Steig"" wrote in message
news:[EMAIL PROTECTED]
> Hello i networks 192.17.73.0 - 192.17.77.0
>
> is there anyway to deny these networks with one
Jason Steig wrote:
>
> so you're saying that my statement
> ip access-list 1 permit ip 192.17.73.0 0.191.251.0 will permit
> all hosts from network 192.17.73.0 and 192.81.73.0??
>
> 17 is 00010001
> 81 is 01010001
You corrected my typo on 81. That's good. :-)
&
Couldn't you just use the wildcard mask 0.0.4.255 to deny 192.17.73.0 -
192.17.77.0? I used the Boson wildcard mask calculator to check this, and
it gave me those networks.
""Andrew Larkins"" wrote in message
news:[EMAIL PROTECTED]
> the first access-list will not
the first access-list will not work.
The second one will also deny networks 192.17.72.0 and 78.0 as well as 79.0
-
You are correct about zeros must make at 1's are don't care, but you need to
understand the basic of subnetting. A 248.0 subnet mask means 8 "Class C"
subnets. Yo
Hello i networks 192.17.73.0 - 192.17.77.0
is there anyway to deny these networks with one entry in an access list?
such as deny 192.17.73.0 0.0.248.255?
is this going to deny these networks? it's also going to black hole several
other networks though. Or does the list have to be
""Jason Steig"" wrote in message
news:[EMAIL PROTECTED]
> it worked!! thanks!Jason Steig wrote:
> >
forgive me for having gotten lost in this thread...
> > so your saying that my statement
> > ip access-list 1 permit ip 192.17.73.0 0
it worked!! thanks!Jason Steig wrote:
>
> so your saying that my statement
> ip access-list 1 permit ip 192.17.73.0 0.191.251.0 will permit
> all hosts from network 192.17.73.0 and 192.81.73.0??
>
> 17 is 00010001
> 81 is 01010001
>
> so the bit it doesn&#x
so your saying that my statement
ip access-list 1 permit ip 192.17.73.0 0.191.251.0 will permit all hosts
from network 192.17.73.0 and 192.81.73.0??
17 is 00010001
81 is 01010001
so the bit it doesn't match on is the 64 bit. so i just have to switch it
around if your saying the ones
Priscilla Oppenheimer wrote:
>
> Jason Steig wrote:
> >
> > Hello all. I'am stumped on an access-list that i need to
> > create. What i did was i set up two routers using rip and put
> > loopbacks on one of them and advertised them in rip. I then
> > a
Jason Steig wrote:
>
> Hello all. I'am stumped on an access-list that i need to
> create. What i did was i set up two routers using rip and put
> loopbacks on one of them and advertised them in rip. I then
> attempted to build an access-list allowing just these networks
>
Hello all. I'am stumped on an access-list that i need to create. What i did
was i set up two routers using rip and put loopbacks on one of them and
advertised them in rip. I then attempted to build an access-list allowing
just these networks to pass into the other router. The router wit
Hello all. I'am stumped on an access-list that i need to create. What i
did was i set up two routers using rip and put loopbacks on one of them and
advertised them in rip. I then attempted to build an access-list allowing
just these networks to pass into the other router. The router wit
-1750
> ROUTER10.15.0.0 255.255.0.0
>
> 10.15.0.0 Is the inside network
> 10.10.10.0 Is the outside network
>
> In CISCO PIX FIREWALL Version 6.1(4), what is the impact of this command?
>
>
> access-list acl_out permit ip 10.10.0.0 255.255.0.0 10.15.0.0 255.255.0.0
10.10.0.0 255.255.0.0---515E PIX FIREWALL--1750
ROUTER10.15.0.0 255.255.0.0
10.15.0.0 Is the inside network
10.10.10.0 Is the outside network
In CISCO PIX FIREWALL Version 6.1(4), what is the impact of this command?
access-list acl_out permit ip 10.10.0.0 255.255.0.0
According to Cisco's site... The "access-list compiled" can "only" be used
with Turbo ACLs on the 7000 series routers.
Please lemme know if I'm wrong! I'd like to use it on my 3640 with acl
gremlins.
-Original Message-
From: Stong, Ian C [GMG] [mail
nt: Friday, January 24, 2003 3:46 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: access-list compiled on Pix firewall
Has anyone used the "access-list compiled" on the pix firewall? Cisco says
that
it optimizes the access-list and make things run smoother if your
access-list is
at
Has anyone used the "access-list compiled" on the pix firewall? Cisco says
that
it optimizes the access-list and make things run smoother if your
access-list is
at least 20 lines long. Has anyone actually measured this on a production
environment?
Adv
s of ports
> (i.e. - one with 6 ports and one with 4 ... doh!)
>
>
> Thanks!
> TJ
> -Original Message-
> From: Sam Sneed [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, January 15, 2003 10:20 AM
> To: [EMAIL PROTECTED]
> Subject: Re: PIX access-list problem [7:61043]
>
&g
Sent: Wednesday, January 15, 2003 10:20 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX access-list problem [7:61043]
Found problem. I had the 2 PIX's configured for failover. The problem was
that the failover cable was loose on one end so they both flip flopped each
taking control as master. Than
late the address.
>
> HTH,
> Kris.
>
> -Original Message-
> From: Sam Sneed [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 14, 2003 2:08 PM
> To: [EMAIL PROTECTED]
> Subject: PIX access-list problem [7:61043]
>
>
> I cannot seem to get the following c
correct vlan/segment and set to correct speed/duplex?
>
> Can other devices on same switch communicate with anyone else?
>
>
> Thanks!
> TJ
> [EMAIL PROTECTED]
>
>
>
> -Original Message-
> From: Sam Sneed [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, J
PROTECTED]]
Sent: Tuesday, January 14, 2003 3:43 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX access-list problem [7:61043]
This type of NAT is required for incoming connections. I can't get access
going out so I haven't even looked at that yet. Even worse is from
83.23.44.60 (outside interface
This type of NAT is required for incoming connections. I can't get access
going out so I haven't even looked at that yet. Even worse is from
83.23.44.60 (outside interface of PIX) I can't ping 83.23.44.50 which is
outside of the PIX. If you look at my access-list , this should not
ssage-
From: Sam Sneed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 14, 2003 2:08 PM
To: [EMAIL PROTECTED]
Subject: PIX access-list problem [7:61043]
I cannot seem to get the following config to work and am clueless why. My
incoming access lists for DMZ and outside are wide open. The goal is
rnet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
access-list internal permit ip 172.19.90.0 255.255.255.0 any
access-list test permit ip any any
access-list test permit icmp any any
access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23
Here is the situation:
I have a 1700 series router and a T1, a cisco switch, and a file server.
I will no longer run exchage or IIS. How should I configure my router?
[GroupStudy.com removed an attachment of type text/x-vcard which had a name
of james.gruggett.vcf]
Message Posted at:
http://w
gt; 80" needs to go after the second "any" to signify destination
> port of 80 as
> such:
>
> access-list 100 permit tcp any any eq 80
Depends on your security policy. He said he wanted to block port 80
transmitting, implying a source port of 80. This might be a policy fo
destination port of 80 as
such:
access-list 100 permit tcp any any eq 80
Thanks,
Mario Puras
SoluNet Technical Support
Mailto: [EMAIL PROTECTED]
Direct: (321) 309-1410
888.449.5766 (USA) / 888.SOLUNET (Canada)
-Original Message-
From: Sabertech Cisco Training [mailto:[EMAIL PROT
I was running an exchange server and someone hacked in. I am trying to
secure the network. What do you reccomed?
[GroupStudy.com removed an attachment of type text/x-vcard which had a name
of james.gruggett.vcf]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59987&t=59975
---
so, no other outbound traffic at all, nothing else from the corp lan? You
want people on the lan to be able to web surf or do you want to run a web
server and allow that traffic thru? Just want to dbl check.
Bri
On Mon, 30 Dec 2002, James Gruggett wrote:
> Hi Everyone,
>
> I have a 17
To allow out only traffic sourced from TCP port 80:
!
access-list 100 permit tcp any eq 80 any
!
interface serial 0
ip access-group 100 out
!
That's how you would do it, but it's extremely unusual
to suppress traffic based on source ports...
-Original Message-
From: [EMAIL
Hi Everyone,
I have a 1700 Cisco router connected to a T1. I would like to lock it
down and only allow port 80 to transmitt data for security purposes.
Any suggestions would be great.
Thanks
[GroupStudy.com removed an attachment of type text/x-vcard which had a name
of james.gruggett.vcf]
;t seem to work even thought I have
natting straight through and open the port with the access list, any
suggestions? Attached is the config minus any public IPs etc.
The latest thing TAC had me do was remove access list 160 from the E0
interface and is reflected in the config below. When the access
You are assuming that I (and others in this discussion) do not know how to
figure out wild card masks, which is not the focus of the question. Please,
take a step back and really try to listen. I appreciate your opinion and I
am very grateful that you are taking the time help. But, you are not r
""Ted Marinich"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Josh,
>
> No I never have. frp is a typo - should be FTP.
CL: I believe I gave a good pointer and a good start in my earlier reply.
>
> access-list 101 deny tcp host 13
Josh,
No I never have. frp is a typo - should be FTP.
access-list 101 deny tcp host 135.152.1.1 eq ftp any
access-list 101 deny tcp host 135.152.1.1 eq http any
access-list 101 deny tcp 131.24.194.0 0.1.1.255 eq ftp any
access-list 101 deny tcp 131.24.194.0 0.1.1.255 eq http any
access-list
Ted,
Did you ever get any feedback on this? I have never heard of the frp
keyword in an access-list command.
Josh
-Original Message-
From: Ted Marinich [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 07, 2002 5:47 PM
To: [EMAIL PROTECTED]
Subject: Re: Darth Reid R1 Access-list [7
Thank you Brian that was why it did not work. Now it is working .
- Original Message -
From: "Brian Dennis"
To: "'John Tafasi'" ; "'Cisco Group Study'"
; "'ccielab'"
Sent: Saturday, December 14, 2002 12:35 PM
S
;; 'ccielab'
Subject: Re: problem with reflexive access list
I tried that too and it did not work.
- Original Message -
From: "Brian Dennis"
To: "'John Tafasi'" ; "'Cisco Group Study'"
; "'ccielab'"
Sent: F
I tried that too and it did not work.
- Original Message -
From: "Brian Dennis"
To: "'John Tafasi'" ; "'Cisco Group Study'"
; "'ccielab'"
Sent: Friday, December 13, 2002 11:56 PM
Subject: RE: problem with reflexive acc
ian Dennis, CCIE #2210 (R&S/ISP Dial/Security)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
John Tafasi
Sent: Friday, December 13, 2002 4:32 PM
To: Cisco Group Study; ccielab
Subject: problem with reflexive access list
Hello,
I have a problem telnet
Hello,
I have a problem telneting from r5 to r2 when reflexive ip access list is
configured. Without the reflexive access list, the telnet will work fine.
The two routers are directly connect via their ethernet 0 interfaces. Could
some one find out what is wrong with my configuration. Both
ended access-list in/ out [7:58750]
Do you even need to specify the source port? Why wouldn't you just do:
access-list 101 permit tcp any any eq telnet?
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59021&t=58750
--
Do you even need to specify the source port? Why wouldn't you just do:
access-list 101 permit tcp any any eq telnet?
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59015&t=58750
--
FAQ, list archives, and subscripti
This won't work because the source packet doe's not have a source port of 23
what you need to do is
access-list 101 permit tcp any gt 1023 any eq telnet (this is for inbound )
from memory traffic originating from router will not be bound by an ACL so
your out bound traffic should be al
neil what you can do to allow both outbound and incoming telnet access by
using the command:
access-list 101 permit tcp any eq telnet any eq telnet
ip access-group 101 in/out whichever interface you would want to put this on.
I haven't tried this yet but I think this will work. It allows s
OK,
The question is deny FTP and HTTP for these addresses:
131.24.194.x, 131.25.194.x, 135.152.1.1, 131.24.195.x, 131.24.193.x
Use least amount of lines in your ACL.
To match EXACTLY what the question asks with the minimum ACL, I come up with
this:
access-list 101 deny tcp host 135.152.1.1 eq
guys,
Please explain, how to apply extended access-list so as to permit inbound
and outbound telnet access.
I want to apply the access list to same interface in and out.
Thanks,
neil.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58750&
Actually he *did* answer it. Write it out in binary, it should be crystal
clear.
- Original Message -
From: "Ted Marinich"
To:
Sent: Friday, December 06, 2002 7:00 PM
Subject: Re: Darth Reid R1 Access-list [7:58644]
> The Long and Winding Road:
>
> As you can s
""Ted Marinich"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> The Long and Winding Road:
>
> As you can see from my original post, the binary equivelents are
represented
> in decimal format one octet at a time. The question is - has anyone
> approached this question froma a dif
The Long and Winding Road:
As you can see from my original post, the binary equivelents are represented
in decimal format one octet at a time. The question is - has anyone
approached this question froma a different angle to get a more realistic
answer.
The first octet should allow 131 and 135 on
.
> > > Barring intentional obfusication, why would anyone actually use
that
> > > wildcard mask in an access list instead of a longer more readable
> > > alternative?
> >
> > CL: since the publication of RFC 1812, the so called "whacky" wildcard
>
> > Barring intentional obfusication, why would anyone actually use that
> > wildcard mask in an access list instead of a longer more readable
> > alternative?
>
> CL: since the publication of RFC 1812, the so called "whacky" wildcard
masks
> are not su
""J.D. Chaiken"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Follup Question:
>
> Barring intentional obfusication, why would anyone actually use that
> wildcard mask in an access list instead of a longer more readable
> alte
Follup Question:
Barring intentional obfusication, why would anyone actually use that
wildcard mask in an access list instead of a longer more readable
alternative?
Jarett
""The Long and Winding Road"" wrote in
message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]
1 - 100 of 817 matches
Mail list logo
