cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
335
Views
5
Helpful
4
Replies

Please help me explaining following two access list

cisco
Level 1
Level 1

1)

access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo

access-list 101 permit ip any 10.1.1.0 0.0.0.255

int e0/1

ip add 172.16.1.2 255.255.255.0

ip access-group 101 in

2)

ip access-list extended NET

deny tcp any any gt 1024 establish

permit ip any any

regards

Neo

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hi Neo,

The first access list blocks all ICMP PING requests sent from any source to addresses in the network 10.1.1.0/24. Every other traffic to the network 10.1.1.0/24 is permitted.

The second access list blocks all TCP segments whose destination port is higher than 1024 and that have the 'ACK' or 'RST' flag set (the 'established' keyword). In essence, it blocks all TCP answers to connections that have been initiated from ports higher than 1024. All other traffic will be permitted.

Best regards,

Peter

View solution in original post

4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

Hi Neo,

The first access list blocks all ICMP PING requests sent from any source to addresses in the network 10.1.1.0/24. Every other traffic to the network 10.1.1.0/24 is permitted.

The second access list blocks all TCP segments whose destination port is higher than 1024 and that have the 'ACK' or 'RST' flag set (the 'established' keyword). In essence, it blocks all TCP answers to connections that have been initiated from ports higher than 1024. All other traffic will be permitted.

Best regards,

Peter

Hi Peter

I just got a quick question.

access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo

My understanding is :

Any packet that has any source address, uses icmp, has destination address in 10.1.1.0/24 should be denied. i omitted " echo" as i don't know where it fits.

Could you please help me with that ?

Thanks

Here is my guess.

Deny all icmp packets from any source that request echo reply from any host in 10.1.1.0/24 .

Am i correct?

Tthanks

Hello Sarah,

You got it correct - that one particular line denies ICMP packets that are

1.) sent from any source (any)

2.) go to 10.1.1.0/24 network (10.1.1.0 0.0.0.255)

3.) their type is ECHO - this is the message type of PING request

The ICMP messages do not have ports like TCP or UDP do. They have only types. If you want to match an ICMP message of a particular type, you write its name at the end of the access list entry like the one here.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: