08-29-2009 12:31 AM - edited 03-06-2019 07:30 AM
1)
access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo
access-list 101 permit ip any 10.1.1.0 0.0.0.255
int e0/1
ip add 172.16.1.2 255.255.255.0
ip access-group 101 in
2)
ip access-list extended NET
deny tcp any any gt 1024 establish
permit ip any any
regards
Neo
Solved! Go to Solution.
08-29-2009 12:38 AM
Hi Neo,
The first access list blocks all ICMP PING requests sent from any source to addresses in the network 10.1.1.0/24. Every other traffic to the network 10.1.1.0/24 is permitted.
The second access list blocks all TCP segments whose destination port is higher than 1024 and that have the 'ACK' or 'RST' flag set (the 'established' keyword). In essence, it blocks all TCP answers to connections that have been initiated from ports higher than 1024. All other traffic will be permitted.
Best regards,
Peter
08-29-2009 12:38 AM
Hi Neo,
The first access list blocks all ICMP PING requests sent from any source to addresses in the network 10.1.1.0/24. Every other traffic to the network 10.1.1.0/24 is permitted.
The second access list blocks all TCP segments whose destination port is higher than 1024 and that have the 'ACK' or 'RST' flag set (the 'established' keyword). In essence, it blocks all TCP answers to connections that have been initiated from ports higher than 1024. All other traffic will be permitted.
Best regards,
Peter
08-29-2009 09:24 AM
Hi Peter
I just got a quick question.
access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo
My understanding is :
Any packet that has any source address, uses icmp, has destination address in 10.1.1.0/24 should be denied. i omitted " echo" as i don't know where it fits.
Could you please help me with that ?
Thanks
08-29-2009 09:28 AM
Here is my guess.
Deny all icmp packets from any source that request echo reply from any host in 10.1.1.0/24 .
Am i correct?
Tthanks
08-29-2009 09:31 AM
Hello Sarah,
You got it correct - that one particular line denies ICMP packets that are
1.) sent from any source (any)
2.) go to 10.1.1.0/24 network (10.1.1.0 0.0.0.255)
3.) their type is ECHO - this is the message type of PING request
The ICMP messages do not have ports like TCP or UDP do. They have only types. If you want to match an ICMP message of a particular type, you write its name at the end of the access list entry like the one here.
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: