Please help me explaining following two access list

Answered Question

1)

access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo

access-list 101 permit ip any 10.1.1.0 0.0.0.255

int e0/1

ip add 172.16.1.2 255.255.255.0

ip access-group 101 in


2)

ip access-list extended NET

deny tcp any any gt 1024 establish

permit ip any any


regards

Neo

Correct Answer by Peter Paluch about 7 years 6 months ago

Hi Neo,


The first access list blocks all ICMP PING requests sent from any source to addresses in the network 10.1.1.0/24. Every other traffic to the network 10.1.1.0/24 is permitted.


The second access list blocks all TCP segments whose destination port is higher than 1024 and that have the 'ACK' or 'RST' flag set (the 'established' keyword). In essence, it blocks all TCP answers to connections that have been initiated from ports higher than 1024. All other traffic will be permitted.


Best regards,

Peter


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Peter Paluch Sat, 08/29/2009 - 00:38

Hi Neo,


The first access list blocks all ICMP PING requests sent from any source to addresses in the network 10.1.1.0/24. Every other traffic to the network 10.1.1.0/24 is permitted.


The second access list blocks all TCP segments whose destination port is higher than 1024 and that have the 'ACK' or 'RST' flag set (the 'established' keyword). In essence, it blocks all TCP answers to connections that have been initiated from ports higher than 1024. All other traffic will be permitted.


Best regards,

Peter


sarahr202 Sat, 08/29/2009 - 09:24

Hi Peter


I just got a quick question.


access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo


My understanding is :


Any packet that has any source address, uses icmp, has destination address in 10.1.1.0/24 should be denied. i omitted " echo" as i don't know where it fits.


Could you please help me with that ?


Thanks

sarahr202 Sat, 08/29/2009 - 09:28

Here is my guess.


Deny all icmp packets from any source that request echo reply from any host in 10.1.1.0/24 .


Am i correct?


Tthanks

Peter Paluch Sat, 08/29/2009 - 09:31

Hello Sarah,


You got it correct - that one particular line denies ICMP packets that are


1.) sent from any source (any)

2.) go to 10.1.1.0/24 network (10.1.1.0 0.0.0.255)

3.) their type is ECHO - this is the message type of PING request


The ICMP messages do not have ports like TCP or UDP do. They have only types. If you want to match an ICMP message of a particular type, you write its name at the end of the access list entry like the one here.


Best regards,

Peter


Actions

This Discussion