the last line doesnt permit everything, just icmp packets that are not
echo request, since those will be dropped by the second line. Looks like
the icmp approach is block ping, permit other icmp, which is a common
approach. First match wins..
Bri
On Thu, 21 Feb 2002, Justin M. Clark wrote:
> I have the following access list and am trying to make since of it. Here
is
> what I have sofar with what I think the line does.
>
> 1. access-list 101 deny icmp any any redirect
> stop all redirects
> 2. access-list 101 deny icmp any any echo
> stop ping
> 3. access-list 101 deny ip 127.0.0.0 0.255.255.255 any
> stop localhost from going anywhere
> 4. access-list 101 deny ip 224.0.0.0 31.255.255.255 any
> stop private address from going anywhere
> 5. access-list 101 deny ip xxx.xxx.40.0 0.0.0.255 any
> stop xxx.xxx.40.0/24 from getting to anything
> 6. access-list 101 permit tcp any any eq telnet
> permit telnet from anywhere
> 7. access-list 101 permit tcp any any established
> permit anything from established connection
> 8. access-list 101 permit tcp any host xxx.xxx.43.133 eq smtp
> permit anyone to xxx.xxx.43.113 port 25
> 9. access-list 101 permit tcp any host xxx.xxx.43.133 eq pop3
> permit anyone to xxx.xxx.43.113 port 110
> 10. access-list 101 permit tcp any host xxx.xxx.43.133 eq ftp
> permit anyone to xxx.xxx.43.113 port 21
> 11. access-list 101 permit ip host XXX.152.0.8 any
> permit external dns servers to go anywhere
> 12. access-list 101 permit ip host XXX.152.16.8 any
> permit external dns servers to go anywhere
> 13. access-list 101 permit tcp any host xxx.xxx.43.134 eq www
> permit anyone to xxx.xxx.43.134 port 80
> 14. access-list 101 permit tcp any host xxx.xxx.43.134 eq 443
> permit anyone to xxx.xxx.43.134 port 443
> 15. access-list 101 permit icmp any any
> permit ping from anywhere to anywhere
>
> this is applied to a serial interface in.
> we have external DNS and internal SMTP and POP3 and WWW
>
> the lines that are confusing me are 1, 2, and 15
> it looks to me that at first it is denying redirects and ping but then on
> line 15 it permits everything. is this correct?
>
> Also, if you notice anything else that i don't have right could you please
> mention it as well.
>
> thanks,
> Justin
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36133&t=36131
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
