|
|
| cybertechno 2002-10-28, 10:08 am |
| HI there,
In extended access list why is that we cannot restrict systems using port numbers with IP
Eg:
(config)#accesslist 2 deny IP 10.11.12.0
0.0.0.255
10.11.14.0
0.0.0.255
Now why is that we cannot use a port number to like in the case of telnet(23),ftp (21)etc here for IP. | |
|
|
| edmonds_robert 2002-10-28, 11:41 am |
| quote:
Originally posted by cybertechno
HI there,
In extended access list why is that we cannot restrict systems using port numbers with IP
Eg:
(config)#accesslist 2 deny IP 10.11.12.0
0.0.0.255
10.11.14.0
0.0.0.255
Now why is that we cannot use a port number to like in the case of telnet(23),ftp (21)etc here for IP.
Pseudocyber is correct. If you want to restrict telnet access to the 10.11.14.0 subnet from 10.11.12.0 subnet, use the following access-list:
access-list 100 deny tcp 10.11.12.0 0.0.0.255 10.11.14.0 0.0.0.255 eq telnet
access-list 100 permit ip any any | |
| psimon 2002-10-28, 4:44 pm |
| Or
access-list 100 deny tcp 10.11.12.0 0.0.0.255 10.11.14.0 0.0.0.255 eq 23
access-list 100 permit ip any any | |
| kphua 2002-10-31, 12:40 am |
| IP doesn't have port numbers, only type numbers, e.g. TCP = 6, UDP = 17.
Only Layer 4 transport protocols like TCP & UDP have port numbers. | |
| psimon 2002-10-31, 2:55 pm |
| Hence
access-list 100 deny tcp | |
| drdirt 2002-10-31, 5:38 pm |
| Does this work?
Access-list 101 ip any any 6
?
So the list states IP and it is clear that the 6 refers to type 6=tcp? | |
| chodan 2002-10-31, 6:31 pm |
| quote:
Originally posted by drdirt
Does this work?
Access-list 101 ip any any 6
?
So the list states IP and it is clear that the 6 refers to type 6=tcp?
No it won't work for 2 reasons
you didn't specify permit or deny
and you didn't specify tcp
it will error on the 6 | |
| drdirt 2002-11-01, 12:42 am |
| ooooops on the permit/deny...
I knew better - this type of mistake is always my undoing.
So if you specify IP in an access-list, then you can't use the type 6 or 17 to specify the transport layer protocol. In effect it is like a port number - it is defined at layer 4.
Okay, hope I don't choke tomorrow!!!
drdirt
P.S: Thanks ...sink or swim tomorrow, I am indebted to so many of you!
********************
I wish I can perform tomorrow as well as I have a right to achieve, no more or no less.
After that, may I get an opportunity to challenge myself at the limit of my ability.
******************** | |
| cybertechno 2002-11-01, 7:35 am |
| Thanx Guys!
It cleared the fuzziness I had.and special Thanx to kphua
kphua kphua you were the best. | |
| drdirt 2002-11-01, 5:52 pm |
| That helped me...
I passed today with a 949. It was good to know the access list syntax and application.
Thanks to those who answered here, all. |
|
|
|
