Palitha,
I can tell you, your problems does not lie in those ACLs you mail to
everyone, but somewhere else... within other ACLs that you did not mail out.
As for these 3 lines:
1> access-list 102 permit icmp any any log
2> access-list 102 deny ip any any log
3> access-list 102 permit tcp any any log ( this rule for I need access to
the
router)
Line number 3 will never be reach, cause all are blocked by line #2. Not a
good idea to permit telnet into a dmz router.
If you want to restrict to just echo packets, you can always do a "permit
icmp <source> <dest> eq echo". But be sure to allow the return packets to go
through on the other way, using by permitting the echo-reply.
I doubt anyone can help much unless we know what other ACLs you have on you
router, and on which interface, inbound/outbound etc.
Regards,
Nic
-----Original Message-----
From: Palitha Weerakkody [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 21, 2000 11:42 AM
To: 'Pang, Nic (FXAP SGP)'; 'Ben Nagy'; [EMAIL PROTECTED]
Subject: RE: Access-Lists
Pang,Ben,
Sorry ben I didn't meant to Impolite.
Let me tell you guys what I done.
I create a access-list as below
access-list 102 permit icmp any any log
access-list 102 deny ip any any log
access-list 102 permit tcp any any log ( this rule for I need access to the
router)
then I try to Ping but I couldn't. I know it work line by line. but my Idea
is it need IP to work.
I know Permit all ip bad thing permit all ICMP bad as well. If needed can
permit ICMP by code and type as well.
anyway some one could try and let us know.
Palitha
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Pang, Nic (FXAP SGP)
Sent: Monday, 21 August 2000 12:10
To: '[EMAIL PROTECTED]'; 'Ben Nagy';
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Access-Lists
Paltitha,
Ben is right. I suggest you reading up more on CISCO ACLs.
CISCO ACLs works by going through from line 1 to the last line line. (line
by line, from 1 to 7) Ping has already been permited rule 5, thus a permit
any any is not necessary and definitely not advisable.
By replacing the line permit ip any any, all ip packets that are not
rejected by rule 1 will be permitted through. If that is your intention, you
can also leave out lines 2->6 because they are all made redundant by "permit
ip any any". Not a good idea, cause all ip packets will be allow through.
By default, CISCO's has a hidden last rule, which is deny any any. This rule
is automatically inserted after the last rule. The permit ip any any
overwrite the hidden rule .
Regards,
Nic
.. not a CCNA
-----Original Message-----
From: Palitha Weerakkody [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 21, 2000 9:46 AM
To: 'Ben Nagy'; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Access-Lists
Hi Ben,
You seems to be a champ,
Well, could you add this to your router access list " deny ip any any log "
and try to Ping. If you can't ping can I I ask you to read about protocol
again before you start fielding questions. ICMP rely on IP.
Thanks
Palitha
-----Original Message-----
From: Ben Nagy [mailto:[EMAIL PROTECTED]]
Sent: Monday, 21 August 2000 10:41
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: Access-Lists
> -----Original Message-----
> From: Palitha Weerakkody
> [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 21 August 2000 9:37 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: Access-Lists
>
>
> Hi intekhab,
>
> I'm also new to this field.
> 1. access-list 121 deny ip X.X.X.0 0.0.0.192 any log
> 2. access-list 121 permit tcp any host X.X.X.X eq 25 log
> 3. access-list 121 permit tcp any host X.X.X.X eq 53 log
> 4. access-list 121 permit udp any host X.X.X.X eq 53 log
> 5. access-list 121 permit icmp any any log
> 6. access-list 121 permit tcp any any log
> 7. access-list 121 deny ip any any log
>
> as far as my understanding When you block IP You can't ping. so try "
> access-list 121 permit ip any any log ".
>
> on your rule 1 you deny ip access to specific host or subnet
> but rule 7 you
> deny ip to all. so I think no point putting rule 1. same with
> rule 2, 3 and
> 4 because you permit tcp to all on rule 6. I think you
> shouldn't permit tcp
> any any, only allow what you want. someone can correct me if
> I am wrong.
OK - you're wrong. 8)
Rule 1 denies access _FROM_ a specific subnet - I'm assuming that it's an
anti-spoof thing.
Rule 7 is an explicit default deny - it's not neccessary, but it makes
things clearer.
You're right - rules 2 and 3 are redundant, but rule 4 isn't - rule 4 is
UDP, which won't be permitted by rule 6.
Rule 5 allows ICMP, so ping should work. Adding permit ip any any statements
is a pretty poor idea.
Rule 6 is probably a bad idea too - so you got that bit right. Permit tcp
any any established would probably be better.
It's a pretty open set of ACLs, so there's no reason why they wouldn't work
for ping and HTTP is everything else is right (routing works, ACL applied in
the right place etc etc).
Looks like someone's already offered to help out-of-band though, so it's a
router issue from here.
>
> Thanks
>
> Palitha
> MCP CCNA
>
I don't want to stifle your helpful instincts, but I think you should expand
your ACL knowledge a fair bit before you start fielding questions..
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
