Right! The source port in this case is inconsequential as it can be random,
typically 1024 or above. It is the destination port that we are interested
in in this case as that is the port the destination host will accept the
specified request. Since modern access lists are created in a source first
- destination second manner, the "eq www" statement after the second "any"
indicates the destination port.
One other minor note: while it doesn't hurt anything, having the
"access-list 101 permit ip any 172.0.0.0 0.255.255.255" statement is
irrelevant as the following statement covers the permission to the 172.0.0
network as well. In this case it's not a big deal but if you use several
dozen or hundred access lists, having unnecessary extras may add noticeable
overhead.
---
Rik Guyler
-----Original Message-----
From: ron [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 29, 2001 10:09 PM
To: [EMAIL PROTECTED]
Subject: Re: Work-related ACL problem [7:17695]
isn't it supposed to be:
access-list 101 deny tcp any any eq www
ron
----- Original Message -----
From: "Wilson, Bradley"
To: [EMAIL PROTECTED]
Sent: Wed, 29 Aug 2001 12:03:33 -0400
Subject: Work-related ACL problem [7:17695]
Okay gang, this one's work-related so don't feel obligated to help. ;-) I
think it's an interesting thought problem though:
The Problem I'm Trying To Solve: allow access to a particular website
(2.2.2.2) from users on a particular subnet. Do NOT allow them to access
any *other* website. Allow them to access other resources within your
internal network (172.0.0.0).
Here's the ACL I came up with:
access-list 101 permit ip any host 167.216.138.4
access-list 101 deny tcp any eq www any
access-list 101 permit ip any 172.0.0.0 0.255.255.255
access-list 101 permit ip any any
This list was created on an MSFC card running in a 6509 chassis, and has
been applied to interface Vlan1 inbound (I tried outbound as well just for
kicks). The (unintended) result is that users can access both the target
website, as well as other websites on the Internet. Any ideas?
Bradley J. Wilson
CCNP CCDP MCSE NNCSS CNX MCT CTT
EDS/Boston Scientific Account
(508) 650-8739
[EMAIL PROTECTED]
--
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
____________________________________________________________________________
____
Check any e-mail over the Web for free at MailBreeze
(http://www.mailbreeze.com)
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17796&t=17695
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
