|
|
| Bret Koelling 2003-02-22, 5:24 pm |
| If I set up an ACL like this, will it work to keep the mentioned network out
of the other network other than for DNS and email?
access - list 101 permit tcp 192.15.240.0 0.0.0.255
0.0.0.0 255.255.255.255 eq25
access - list 101 permit tcp 192.15.240.0 0.0.0.255
0.0.0.0 255.255.255.255 eq53
access - list 101 deny any
(I'm working on the threaded case study for Cisco Net Academy Semester 3)
Thanks for any help!
BK
| |
| CCIE8122 2003-02-22, 9:23 pm |
| > If I set up an ACL like this, will it work to keep the mentioned network out
> of the other network other than for DNS and email?
> access - list 101 permit tcp 192.15.240.0 0.0.0.255
> 0.0.0.0 255.255.255.255 eq25
> access - list 101 permit tcp 192.15.240.0 0.0.0.255
> 0.0.0.0 255.255.255.255 eq53
> access - list 101 deny any
> (I'm working on the threaded case study for Cisco Net Academy Semester 3)
Should be
access-list 101 permit tcp 192.15.240.0 0.0.0.255 any eq 25
access-list 101 permit tcp 192.15.240.0 0.0.0.255 any eq 53
access-list 101 permit udp 192.15.240.0 0.0.0.255 any eq 53
This (if applied inbound on the 192.15.250.0 interface) will allow
192.15.240.0/24 to open smtp/dns connections/queries to any other
network, but they cannot do anything else.
The "any" keyword replaces 0.0.0.0 255.255.255.255.
kr
| |
| Bret Koelling 2003-02-22, 9:23 pm |
| kr,
thank you!
bk
| |
| Aaron 2003-02-23, 10:24 pm |
| This is not right. You dont use inverse masks on access-lists you use
subnet masks.
0.0.0.255 is an inverse mask for things like network statements in OSPF
and other things
255.255.255.0 is a subnet mask , what you should use in a access-list
"CCIE8122" <none@none.com> wrote in message
news:3E58381C.4030502@none.com...
> > If I set up an ACL like this, will it work to keep the mentioned network
out
> > of the other network other than for DNS and email?
> > access - list 101 permit tcp 192.15.240.0 0.0.0.255
> > 0.0.0.0 255.255.255.255 eq25
> > access - list 101 permit tcp 192.15.240.0 0.0.0.255
> > 0.0.0.0 255.255.255.255 eq53
> > access - list 101 deny any
> > (I'm working on the threaded case study for Cisco Net Academy Semester
3)
>
> Should be
>
> access-list 101 permit tcp 192.15.240.0 0.0.0.255 any eq 25
> access-list 101 permit tcp 192.15.240.0 0.0.0.255 any eq 53
> access-list 101 permit udp 192.15.240.0 0.0.0.255 any eq 53
>
>
> This (if applied inbound on the 192.15.250.0 interface) will allow
> 192.15.240.0/24 to open smtp/dns connections/queries to any other
> network, but they cannot do anything else.
>
> The "any" keyword replaces 0.0.0.0 255.255.255.255.
>
> kr
>
| |
| CCIE8122 2003-02-23, 11:23 pm |
| > This is not right. You dont use inverse masks on access-lists you use
> subnet masks.
>
> 0.0.0.255 is an inverse mask for things like network statements in OSPF
> and other things
>
> 255.255.255.0 is a subnet mask , what you should use in a access-list
I have configured an access-list or two before.
Care to restate your position before you get flamed by just about
everyone in this NG?
kr
| |
| Hansang Bae 2003-02-24, 12:23 am |
| In article <BUg6a.191$b8.188758@news.uswest.net>, aaron_g@qwest.net
says...
> This is not right. You dont use inverse masks on access-lists you use
> subnet masks.
Inverse Mask is the correct answer.
> 0.0.0.255 is an inverse mask for things like network statements in OSPF
> and other things
Like ACLs.
> 255.255.255.0 is a subnet mask , what you should use in a access-list
You can use this in an ACL if you want. It just means that you only
care about the last octet.
--
hsb
"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
******************************
******************************
********
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
******************************
******************************
********
|
|
|
|