I have an access list (101) on my router that is tied to a cable modem
network.
The access list contains the following icmp deny statment. It seems to
workok.
The question is; what the heck does (3/13) mean in the log line??
Thanks!!
from access-list 101:
access-list 101 deny icmp any any
I think it's the ICMP type/code.
Thanks,
Zsombor
dave petit wrote:
I have an access list (101) on my router that is tied to a
cable modem
network.
The access list contains the following icmp deny statment. It
seems to
workok.
The question is; what the heck does (3/13) mean in the log
Hello all,
I need some help with ACL's. What my goal is to allow VNP traffic in
to my network to one firewall (Static IP address). Also I want to allow
traffic out of my FE 0/1 interface out to the net using established
access lists. The services I want to let out are.
HTTP
HTTPS
SMTP
Conduits are global and access lists are interface specific. Go with access
lists.
At 09:11 PM 7/17/2003 +, E. Keith J. wrote:
Hi all
The boss wants to allow ping.
In the website I found the way by using an access list.
In another config I see a conduit is used.
What
Hi all
The boss wants to allow ping.
In the website I found the way by using an access list.
In another config I see a conduit is used.
What is the difference between using a conduit and an access list to allow
ping
Is it that a conduit is to a specific host
Rather than permit
not concerned that support for ACL's is
disappearing anytime soon.
Only thing I'd say is that I've read you can experience some very weird and
unexpected results if you mix an access list and conduits together. Go with
all one or all of the other.
Mark
-Original Message-
From: [EMAIL PROTECTED
), source-quench (so
you can see icmp messages). Also allow icmp echo's (type 8) outbound. You
will then be able to ping stuff on the net, but they can't ping you.
see this sample...
!create list
access-list corp_internet_allowed_in permit icmp any any echo-reply
access-list corp_internet_allowed_in
]
Subject: Access list or Conduit? [7:72514]
Hi all
The boss wants to allow ping.
In the website I found the way by using an access list.
In another config I see a conduit is used.
What is the difference between using a conduit and an access list to allow
ping
Is it that a conduit
PROTECTED]
Subject:RE: Access list or Conduit? [7:72514]
my understanding is conduits are the same as access lists but are being
phased out and replaced by access lists so that syntax is more uniform
across platforms.
-Original Message-
From: E. Keith J. [mailto:[EMAIL PROTECTED
Of
Lynne Padgett
Sent: July 17, 2003 7:09 PM
To: [EMAIL PROTECTED]
Subject: RE: Access list or Conduit? [7:72514]
I agree. If I recall correctly, this change was implemented in the
later
versions of 5.x and conduits aren't used at all in the 6.x versions.
Cisco
did this to make the firewall code more
Yep - Good call :-)
Sorry
Bikespace
Dimitrije wrote in message
news:[EMAIL PROTECTED]
if .150 is inclusive, within the permitted range, then add 1 additional
permit
statement:
permit host 192.100.34.150
Bikespace wrote:
I think the:
access-list 10 permit 192.100.34.97 0.0.0.31
Here's a weary stab at it. I'll probably regret rushing through this, but at
least you'll get your answer when someone corrects me :-)
I would think there has got to be a better way. Need someone who does it in
binary. My head doesn't cut the mustard with the wildcard masks.
permit 192.100.34.96
to filter on source AND
destination address and do not need to filter by protocol, just source, so I
recomend a standard access-list, like I have listed below. There are
several ways to slice it up here is just one.
access-list 10 deny host 192.100.34.97
access-list 10 deny host 192.100.34.98
access-list
Yep - I need to RTFQ :-)
How about this (reversed):
deny 192.100.34.96 0.0.0.3
permit 192.100.34.96 0.0.0.31
permit 192.100.34.128 0.0.0.15
permit 192.100.34.144 0.0.0.3
permit 192.100.34.148 0.0.0.1
Bikespace
Bikespace wrote in message
news:[EMAIL PROTECTED]
Here's a weary stab at it. I'll
, 2003 12:01 PM
To: [EMAIL PROTECTED]
Subject: RE: Access-list ?? [7:71696]
Craig,
The problem as I see it is you need to allow 50 hosts, to pass through an
ACL but the 50 hosts you want to pass are difficult to mask out with a
simple ACL.
The previous answers provided might be correct
I think the:
access-list 10 permit 192.100.34.97 0.0.0.31
should be
access-list 10 permit 192.100.34.96 0.0.0.31
as 97 isn't the network address, but this means adding another line at the
start to disallow 96.
I'll stick by my previous effort for the moment:
deny 192.100.34.96 0.0.0.3
permit
if .150 is inclusive, within the permitted range, then add 1 additional
permit
statement:
permit host 192.100.34.150
Bikespace wrote:
I think the:
access-list 10 permit 192.100.34.97 0.0.0.31
should be
access-list 10 permit 192.100.34.96 0.0.0.31
as 97 isn't the network address
ALL-
I know you have answered this question before, but I hope somewhere in your
4th of July heart you can help me.
I have a 1600 router running a 12021 IP PLUS --- I have tried to add
access-lists to block all sites incoming except 192.100.34.100-150.
Can someone help with the correct lists.
Hi
Can somebody let me know what exact keyword (not icmp type number) should
be used
to enable the incoming access-list for trace route unix application to work
fine...
I know UDP should be allowed for outgoing and ICMP should be allowed for
the incoming...
Looking for the incoming side icmp
ALL-
I know you have answered this question before, but I hope somewhere in your
4th of July heart you can help me.
I have a 1600 router running a 12021 IP PLUS --- I have tried to add
access-lists to block all sites incoming except 192.100.34.100-150.
Can someone help with the correct lists.
Hi,
try 'ttl-exceeded' and 'port-unreachable'.
Thanks,
Zsombor
At 11:05 PM 6/30/2003 +, Shibu Nair wrote:
Hi
Can somebody let me know what exact keyword (not icmp type number) should
be used
to enable the incoming access-list for trace route unix application to work
fine...
I know UDP
You might try the below:
access-list 10 deny 192.100.34.96 0.0.0.3
access-list 10 deny 192.100.34.151 0.0.0.0
access-list 10 deny 192.100.34.152 0.0.0.7
access-list 10 permit 192.100.34.96 0.0.0.31
access-list 10 permit 192.100.34.128 0.0.0.31
The 1st three lines block the unwanted
This is interesting. Obviously one solution is to deny the 50 hosts with 50
deny statements.
Will this solution work? It uses 12 statements.
access-list 110 deny ip host 192.100.34.110
access-list 110 deny ip host 192.100.34.111
access list 110 deny ip 192.100.34.112 0.0.0.16
access-list 110
.
Will this solution work? It uses 12 statements.
access-list 110 deny ip host 192.100.34.110
access-list 110 deny ip host 192.100.34.111
access list 110 deny ip 192.100.34.112 0.0.0.16
access-list 110 deny ip 192.100.34.128 0.0.0.16
access-list 110 deny ip host 192.100.34.143
access-list 110
At 11:05 PM 6/30/2003 +, Shibu Nair wrote:
Hi
Can somebody let me know what exact keyword (not icmp type
number) should
be used
to enable the incoming access-list for trace route unix
application to work
fine...
I know UDP should be allowed for outgoing and ICMP should be
allowed
Janó van Deventer wrote:
At 11:05 PM 6/30/2003 +, Shibu Nair wrote:
Hi
Can somebody let me know what exact keyword (not icmp type
number) should
be used
to enable the incoming access-list for trace route unix
application to work
fine...
I know UDP should be allowed
with 50 deny statements.
Since he wants to block all *except* the range of 50, wouldn't this be a
better option?
access-list 110 permit ip 192.100.34.100 0.0.0.3 ! 100-103
access-list 110 permit ip 192.100.34.104 0.0.0.7 ! 104-111
access-list 110 permit ip 192.100.34.112 0.0.0.15 ! 112-127
Hi
Can somebody let me know what exact keyword (not icmp type number) should
be used
to enable the incoming access-list for trace route unix application to work
fine...
I know UDP should be allowed for outgoing and ICMP should be allowed for
the incoming...
Looking for the incoming side icmp
ALL-
I know you have answered this question before, but I hope somewhere in your
4th of July heart you can help me.
I have a 1600 router running a 12021 IP PLUS --- I have tried to add
access-lists to block all sites incoming except 192.100.34.100-150.
Can someone help with the correct lists.
Hi,
try 'ttl-exceeded' and 'port-unreachable'.
Thanks,
Zsombor
At 11:05 PM 6/30/2003 +, Shibu Nair wrote:
Hi
Can somebody let me know what exact keyword (not icmp type number) should
be used
to enable the incoming access-list for trace route unix application to work
fine...
I know UDP
in the access-list:
access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 135
access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 137
access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 138
access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 139
When I perform a show
This is possible because you are using win2k now and if that is the case
for AD stuff you need to open port 445 also.
-Original Message-
From: jmullins1 [mailto:[EMAIL PROTECTED]
Sent: Monday, June 02, 2003 4:52 PM
To: [EMAIL PROTECTED]
Subject: PIX access-list [7:70022]
I'm trying
Silly thing to overlook, but best to check anyway is that you have applied
the ACL to the correct interface
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70053t=70022
--
FAQ, list archives, and subscription info:
by sending a constant data stream via ftp or
something and then start a voice conversation.
dj wrote in message
news:[EMAIL PROTECTED]
I'm setting up LLQ over hub-'n-spoke frame-relay WAN and want to use the
following funky looking access-list to mark voice packets for the high
priority
Yes, it looks like the non-contigious access-list does indeed work. I've
implemented it
today on a production network with VoIP telephones and haven't (at least
yet) received
any reports of poor voice quality..
The actual access-list used:
access-list 101 permit ip any 10.10.0.200 0.0.7.7
it NAT
first, or check the outgoing access list ??
Thanks in advance
Andrew Larkins
BCom, CCNP, CCDP, CSS1
Bytes Technology Networks
A Division of Bytes Technology Group : Registration No: 1911/003874/06
A Member of the Altron Group
P O Box 748, Rivonia, 2128
3 Eglin Rd, The Crescent, Sunninghill
I'm setting up LLQ over hub-'n-spoke frame-relay WAN and want to use the
following funky looking access-list to mark voice packets for the high
priority queue. This access-list logically works, but my question is:
Is this legal?
access-list 101 permit ip any 10.10.X.201 0.0.255.248 precedence
should work fine.
You can also test this out by sending a constant data stream via ftp or
something and then start a voice conversation.
dj wrote in message
news:[EMAIL PROTECTED]
I'm setting up LLQ over hub-'n-spoke frame-relay WAN and want to use the
following funky looking access-list
Can't think of a reason why you would use the three lines. As far as I know
(unless there are any little tricks or gotchas) this does make the first two
redundant.
Gareth
Charlie Wehner wrote in message
news:[EMAIL PROTECTED]
Two quick questions:
I've configured an access-list to only
Two quick questions:
I've configured an access-list to only permit certain tcp and udp ports
above 1024. At the end of the access-list I have the following commands:
access-list 101 deny tcp any any log
access-list 101 deny udp any any log
access-list 101 deny ip any any log
Question 1: Do I
I found the answer to question 2:
It's not usually a good idea to configure logging for access list entries
that will match very large numbers of packets. Doing so will cause log files
to grow excessively large, and may cut into system performance. However,
access list log messages are rate
I recently inherited responsibility for a Pix - version 6.2(2). It's
configured with conduits and I'm thinking about changing them all to access
lists a litte bit down the line, after I do the research and really learn
what I'm doing. The reason being access lists seem easier to organize, read
It is my understanding that cisco will be discontinuing support for the
conduit function in the near future. You should migrate those statements to
ACLs especially using ios 6.2. I had some unusual difficulties using a few
conduits with 6.2.
Aaron Ajello wrote in message
news:[EMAIL PROTECTED]
Hello i networks 192.17.73.0 - 192.17.77.0
is there anyway to deny these networks with one entry in an access list?
such as deny 192.17.73.0 0.0.248.255?
is this going to deny these networks? it's also going to black hole several
other networks though. Or does the list have to be
deny
the first access-list will not work.
The second one will also deny networks 192.17.72.0 and 78.0 as well as 79.0
-
You are correct about zeros must make at 1's are don't care, but you need to
understand the basic of subnetting. A 248.0 subnet mask means 8 Class C
subnets. You have to start
Couldn't you just use the wildcard mask 0.0.4.255 to deny 192.17.73.0 -
192.17.77.0? I used the Boson wildcard mask calculator to check this, and
it gave me those networks.
Andrew Larkins wrote in message
news:[EMAIL PROTECTED]
the first access-list will not work.
The second one will also
Jason Steig wrote:
so you're saying that my statement
ip access-list 1 permit ip 192.17.73.0 0.191.251.0 will permit
all hosts from network 192.17.73.0 and 192.81.73.0??
17 is 00010001
81 is 01010001
You corrected my typo on 81. That's good. :-)
so the bit it doesn't match
at the
following link.
http://www.boson.com/promo/utilities/wildcard/wildcard.htm
Hope that helps.
Robert
Jason Steig wrote in message
news:[EMAIL PROTECTED]
Hello i networks 192.17.73.0 - 192.17.77.0
is there anyway to deny these networks with one entry in an access list?
such as deny 192.17.73.0
]
Hello i networks 192.17.73.0 - 192.17.77.0
is there anyway to deny these networks with one entry in an
access list?
such as deny 192.17.73.0 0.0.248.255?
is this going to deny these networks? it's also going to
black hole
several
other networks though. Or does the list have
deny the networks in between.
Let's say you used access-list 11 deny 192.17.73.0 0.0.4.255
73 is 0100 1001
77 is 0100 1101
They differ in the 2^2 position, 4 in decimal. So that's where you'll want a
wildcard (don't-care) bit value in the mask, in other words 1. So the mask
for that part is
Hello all. I'am stumped on an access-list that i need to create. What i did
was i set up two routers using rip and put loopbacks on one of them and
advertised them in rip. I then attempted to build an access-list allowing
just these networks to pass into the other router. The router
Jason Steig wrote:
Hello all. I'am stumped on an access-list that i need to
create. What i did was i set up two routers using rip and put
loopbacks on one of them and advertised them in rip. I then
attempted to build an access-list allowing just these networks
to pass into the other router
Priscilla Oppenheimer wrote:
Jason Steig wrote:
Hello all. I'am stumped on an access-list that i need to
create. What i did was i set up two routers using rip and put
loopbacks on one of them and advertised them in rip. I then
attempted to build an access-list allowing just
so your saying that my statement
ip access-list 1 permit ip 192.17.73.0 0.191.251.0 will permit all hosts
from network 192.17.73.0 and 192.81.73.0??
17 is 00010001
81 is 01010001
so the bit it doesn't match on is the 64 bit. so i just have to switch it
around if your saying the ones don't
it worked!! thanks!Jason Steig wrote:
so your saying that my statement
ip access-list 1 permit ip 192.17.73.0 0.191.251.0 will permit
all hosts from network 192.17.73.0 and 192.81.73.0??
17 is 00010001
81 is 01010001
so the bit it doesn't match on is the 64 bit. so i just
Jason Steig wrote in message
news:[EMAIL PROTECTED]
it worked!! thanks!Jason Steig wrote:
forgive me for having gotten lost in this thread...
so your saying that my statement
ip access-list 1 permit ip 192.17.73.0 0.191.251.0 will permit
all hosts from network 192.17.73.0
Hello all. I'am stumped on an access-list that i need to create. What i
did was i set up two routers using rip and put loopbacks on one of them and
advertised them in rip. I then attempted to build an access-list allowing
just these networks to pass into the other router. The router
0.15.0.0 255.255.0.0
10.15.0.0 Is the inside network
10.10.10.0 Is the outside network
In CISCO PIX FIREWALL Version 6.1(4), what is the impact of this command?
access-list acl_out permit ip 10.10.0.0 255.255.0.0 10.15.0.0 255.255.0.0
access-group in interface outside
does it mean that t
10.10.0.0 255.255.0.0---515E PIX FIREWALL--1750
ROUTER10.15.0.0 255.255.0.0
10.15.0.0 Is the inside network
10.10.10.0 Is the outside network
In CISCO PIX FIREWALL Version 6.1(4), what is the impact of this command?
access-list acl_out permit ip 10.10.0.0 255.255.0.0
Has anyone used the access-list compiled on the pix firewall? Cisco says
that
it optimizes the access-list and make things run smoother if your
access-list is
at least 20 lines long. Has anyone actually measured this on a production
environment?
Advise please
, January 24, 2003 3:46 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: access-list compiled on Pix firewall
Has anyone used the access-list compiled on the pix firewall? Cisco says
that
it optimizes the access-list and make things run smoother if your
access-list is
at least 20 lines long
According to Cisco's site... The access-list compiled can only be used
with Turbo ACLs on the 7000 series routers.
Please lemme know if I'm wrong! I'd like to use it on my 3640 with acl
gremlins.
-Original Message-
From: Stong, Ian C [GMG] [mailto:[EMAIL PROTECTED]]
Sent: Friday
ct speed/duplex?
Can other devices on same switch communicate with anyone else?
Thanks!
TJ
[EMAIL PROTECTED]
-Original Message-
From: Sam Sneed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 14, 2003 3:43 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX access-list problem
am Sneed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 14, 2003 2:08 PM
To: [EMAIL PROTECTED]
Subject: PIX access-list problem [7:61043]
I cannot seem to get the following config to work and am clueless why. My
incoming access lists for DMZ and outside are wide open. The goal is not
to
NAT
: Wednesday, January 15, 2003 10:20 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX access-list problem [7:61043]
Found problem. I had the 2 PIX's configured for failover. The problem was
that the failover cable was loose on one end so they both flip flopped each
taking control as master. Thanks
nks!
TJ
-Original Message-
From: Sam Sneed [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 15, 2003 10:20 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX access-list problem [7:61043]
Found problem. I had the 2 PIX's configured for failover. The problem was
that the failover cable was loos
outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
access-list internal permit ip 172.19.90.0 255.255.255.0 any
access-list test permit ip any any
access-list test permit icmp any any
access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23.43.0
: Sam Sneed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 14, 2003 2:08 PM
To: [EMAIL PROTECTED]
Subject: PIX access-list problem [7:61043]
I cannot seem to get the following config to work and am clueless why. My
incoming access lists for DMZ and outside are wide open. The goal is not to
NAT DMZ
This type of NAT is required for incoming connections. I can't get access
going out so I haven't even looked at that yet. Even worse is from
83.23.44.60 (outside interface of PIX) I can't ping 83.23.44.50 which is
outside of the PIX. If you look at my access-list , this should not be a
problem. I
PROTECTED]]
Sent: Tuesday, January 14, 2003 3:43 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX access-list problem [7:61043]
This type of NAT is required for incoming connections. I can't get access
going out so I haven't even looked at that yet. Even worse is from
83.23.44.60 (outside interface of PIX) I
Here is the situation:
I have a 1700 series router and a T1, a cisco switch, and a file server.
I will no longer run exchage or IIS. How should I configure my router?
[GroupStudy.com removed an attachment of type text/x-vcard which had a name
of james.gruggett.vcf]
Message Posted at:
Hi Everyone,
I have a 1700 Cisco router connected to a T1. I would like to lock it
down and only allow port 80 to transmitt data for security purposes.
Any suggestions would be great.
Thanks
[GroupStudy.com removed an attachment of type text/x-vcard which had a name
of james.gruggett.vcf]
To allow out only traffic sourced from TCP port 80:
!
access-list 100 permit tcp any eq 80 any
!
interface serial 0
ip access-group 100 out
!
That's how you would do it, but it's extremely unusual
to suppress traffic based on source ports...
-Original Message-
From: [EMAIL PROTECTED
so, no other outbound traffic at all, nothing else from the corp lan? You
want people on the lan to be able to web surf or do you want to run a web
server and allow that traffic thru? Just want to dbl check.
Bri
On Mon, 30 Dec 2002, James Gruggett wrote:
Hi Everyone,
I have a 1700
I was running an exchange server and someone hacked in. I am trying to
secure the network. What do you reccomed?
[GroupStudy.com removed an attachment of type text/x-vcard which had a name
of james.gruggett.vcf]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59987t=59975
as
such:
access-list 100 permit tcp any any eq 80
Thanks,
Mario Puras
SoluNet Technical Support
Mailto: [EMAIL PROTECTED]
Direct: (321) 309-1410
888.449.5766 (USA) / 888.SOLUNET (Canada)
-Original Message-
From: Sabertech Cisco Training [mailto:[EMAIL PROTECTED]]
Sent: Monday
to signify destination
port of 80 as
such:
access-list 100 permit tcp any any eq 80
Depends on your security policy. He said he wanted to block port 80
transmitting, implying a source port of 80. This might be a policy for a
network where internal users aren't allowed out, but there is a Web
thought I have
natting straight through and open the port with the access list, any
suggestions? Attached is the config minus any public IPs etc.
The latest thing TAC had me do was remove access list 160 from the E0
interface and is reflected in the config below. When the access list was
applied, I
You are assuming that I (and others in this discussion) do not know how to
figure out wild card masks, which is not the focus of the question. Please,
take a step back and really try to listen. I appreciate your opinion and I
am very grateful that you are taking the time help. But, you are not
Thank you Brian that was why it did not work. Now it is working .
- Original Message -
From: Brian Dennis
To: 'John Tafasi' ; 'Cisco Group Study'
; 'ccielab'
Sent: Saturday, December 14, 2002 12:35 PM
Subject: RE: problem with reflexive access list
You also misspelled outboundfilter
Ted,
Did you ever get any feedback on this? I have never heard of the frp
keyword in an access-list command.
Josh
-Original Message-
From: Ted Marinich [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 07, 2002 5:47 PM
To: [EMAIL PROTECTED]
Subject: Re: Darth Reid R1 Access-list [7
Josh,
No I never have. frp is a typo - should be FTP.
access-list 101 deny tcp host 135.152.1.1 eq ftp any
access-list 101 deny tcp host 135.152.1.1 eq http any
access-list 101 deny tcp 131.24.194.0 0.1.1.255 eq ftp any
access-list 101 deny tcp 131.24.194.0 0.1.1.255 eq http any
access-list
Ted Marinich wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Josh,
No I never have. frp is a typo - should be FTP.
CL: I believe I gave a good pointer and a good start in my earlier reply.
access-list 101 deny tcp host 135.152.1.1 eq ftp any
access-list 101 deny
: problem with reflexive access list
I tried that too and it did not work.
- Original Message -
From: Brian Dennis
To: 'John Tafasi' ; 'Cisco Group Study'
; 'ccielab'
Sent: Friday, December 13, 2002 11:56 PM
Subject: RE: problem with reflexive access list
John,
By default packets sourced
Hello,
I have a problem telneting from r5 to r2 when reflexive ip access list is
configured. Without the reflexive access list, the telnet will work fine.
The two routers are directly connect via their ethernet 0 interfaces. Could
some one find out what is wrong with my configuration. Both
, CCIE #2210 (RS/ISP Dial/Security)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
John Tafasi
Sent: Friday, December 13, 2002 4:32 PM
To: Cisco Group Study; ccielab
Subject: problem with reflexive access list
Hello,
I have a problem telneting from r5 to r2
I tried that too and it did not work.
- Original Message -
From: Brian Dennis
To: 'John Tafasi' ; 'Cisco Group Study'
; 'ccielab'
Sent: Friday, December 13, 2002 11:56 PM
Subject: RE: problem with reflexive access list
John,
By default packets sourced by the router
Do you even need to specify the source port? Why wouldn't you just do:
access-list 101 permit tcp any any eq telnet?
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59015t=58750
--
FAQ, list archives, and subscription info: http
access-list in/ out [7:58750]
Do you even need to specify the source port? Why wouldn't you just do:
access-list 101 permit tcp any any eq telnet?
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59021t=58750
--
FAQ, list
guys,
Please explain, how to apply extended access-list so as to permit inbound
and outbound telnet access.
I want to apply the access list to same interface in and out.
Thanks,
neil.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58750t=58750
OK,
The question is deny FTP and HTTP for these addresses:
131.24.194.x, 131.25.194.x, 135.152.1.1, 131.24.195.x, 131.24.193.x
Use least amount of lines in your ACL.
To match EXACTLY what the question asks with the minimum ACL, I come up with
this:
access-list 101 deny tcp host 135.152.1.1 eq
neil what you can do to allow both outbound and incoming telnet access by
using the command:
access-list 101 permit tcp any eq telnet any eq telnet
ip access-group 101 in/out whichever interface you would want to put this on.
I haven't tried this yet but I think this will work. It allows source
This won't work because the source packet doe's not have a source port of 23
what you need to do is
access-list 101 permit tcp any gt 1023 any eq telnet (this is for inbound )
from memory traffic originating from router will not be bound by an ACL so
your out bound traffic should be alright
Correct me if I'm wrong, but I can't see why this is the right answer. Does
anyone have a different answer to question VII -1???
It seems as though too many other networks are able to pass through using
this answer - can't be right.
I grabed the answer from cisco's web via the URL found in the
write it out in binary and study it until you understand why it is or is not
correct.
what - you expect someone else to do the work for you? how are you going to
learn?
Ted Marinich wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Correct me if I'm wrong, but I can't see why this
Follup Question:
Barring intentional obfusication, why would anyone actually use that
wildcard mask in an access list instead of a longer more readable
alternative?
Jarett
The Long and Winding Road wrote in
message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
write it out i
J.D. Chaiken wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Follup Question:
Barring intentional obfusication, why would anyone actually use that
wildcard mask in an access list instead of a longer more readable
alternative?
CL: since the publication of RFC 1812
Barring intentional obfusication, why would anyone actually use that
wildcard mask in an access list instead of a longer more readable
alternative?
CL: since the publication of RFC 1812, the so called whacky wildcard
masks
are not supported. In other words, for a router
sication, why would anyone actually use
that
wildcard mask in an access list instead of a longer more readable
alternative?
CL: since the publication of RFC 1812, the so called whacky wildcard
masks
are not supported. In other words, for a router to be RFC1812 compliant,
it
should no
The Long and Winding Road:
As you can see from my original post, the binary equivelents are represented
in decimal format one octet at a time. The question is - has anyone
approached this question froma a different angle to get a more realistic
answer.
The first octet should allow 131 and 135
1 - 100 of 773 matches
Mail list logo