At 03:06 PM 3/9/00 +0000, you wrote:
>Hello:
> Your problem is that every cisco access-list has an implied
>deny ip any any
>configured as a last rule ( by default) in other words , you do not have
>to include it , it is included automatically. So when you applied your
>access-list to the serila0 ( outside interface ) for every incoming packet
>you permitted only what was specifically permitted and denied everything
>else. Hope this helps.
But, applying it to outbound packets on the ethernet interface (inside)
should have produced the same results as applying it to incoming packets on
the serial0 interface (outside), correct?
If I apply it to serial0, for incoming packets, then, since I do not
restrict outbound packets, wouldn't this list have allowed packets destined
for ports 22, 25, 53 and > 1023 destined for our firewall?
> > access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 gt 1023
> > access-list 102 permit udp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 gt 1023
> > access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 22
> > access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 25
> > access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 53
> > access-list 102 permit udp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 53
-----------------------------------------------------------------
Jon Earle (613) 612-0946 (Cell)
HUB Computer Consulting Inc. (613) 830-1499 (Office)
http://www.hubcc.ca 1-888-353-7272 (Within Canada/US)
"God does not subtract from one's alloted time on Earth,
those hours spent flying." --Unknown
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
