> -----Original Message-----
> From: Palitha Weerakkody
> [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 21 August 2000 9:37 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: Access-Lists
>
>
> Hi intekhab,
>
> I'm also new to this field.
> 1. access-list 121 deny ip X.X.X.0 0.0.0.192 any log
> 2. access-list 121 permit tcp any host X.X.X.X eq 25 log
> 3. access-list 121 permit tcp any host X.X.X.X eq 53 log
> 4. access-list 121 permit udp any host X.X.X.X eq 53 log
> 5. access-list 121 permit icmp any any log
> 6. access-list 121 permit tcp any any log
> 7. access-list 121 deny ip any any log
>
> as far as my understanding When you block IP You can't ping. so try "
> access-list 121 permit ip any any log ".
>
> on your rule 1 you deny ip access to specific host or subnet
> but rule 7 you
> deny ip to all. so I think no point putting rule 1. same with
> rule 2, 3 and
> 4 because you permit tcp to all on rule 6. I think you
> shouldn't permit tcp
> any any, only allow what you want. someone can correct me if
> I am wrong.
OK - you're wrong. 8)
Rule 1 denies access _FROM_ a specific subnet - I'm assuming that it's an
anti-spoof thing.
Rule 7 is an explicit default deny - it's not neccessary, but it makes
things clearer.
You're right - rules 2 and 3 are redundant, but rule 4 isn't - rule 4 is
UDP, which won't be permitted by rule 6.
Rule 5 allows ICMP, so ping should work. Adding permit ip any any statements
is a pretty poor idea.
Rule 6 is probably a bad idea too - so you got that bit right. Permit tcp
any any established would probably be better.
It's a pretty open set of ACLs, so there's no reason why they wouldn't work
for ping and HTTP is everything else is right (routing works, ACL applied in
the right place etc etc).
Looks like someone's already offered to help out-of-band though, so it's a
router issue from here.
>
> Thanks
>
> Palitha
> MCP CCNA
>
I don't want to stifle your helpful instincts, but I think you should expand
your ACL knowledge a fair bit before you start fielding questions..
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
