Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Please help me explaining following two access list

1)

access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo

access-list 101 permit ip any 10.1.1.0 0.0.0.255

int e0/1

ip add 172.16.1.2 255.255.255.0

ip access-group 101 in

2)

ip access-list extended NET

deny tcp any any gt 1024 establish

permit ip any any

regards

Neo

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Please help me explaining following two access list

Hi Neo,

The first access list blocks all ICMP PING requests sent from any source to addresses in the network 10.1.1.0/24. Every other traffic to the network 10.1.1.0/24 is permitted.

The second access list blocks all TCP segments whose destination port is higher than 1024 and that have the 'ACK' or 'RST' flag set (the 'established' keyword). In essence, it blocks all TCP answers to connections that have been initiated from ports higher than 1024. All other traffic will be permitted.

Best regards,

Peter

4 REPLIES
Cisco Employee

Re: Please help me explaining following two access list

Hi Neo,

The first access list blocks all ICMP PING requests sent from any source to addresses in the network 10.1.1.0/24. Every other traffic to the network 10.1.1.0/24 is permitted.

The second access list blocks all TCP segments whose destination port is higher than 1024 and that have the 'ACK' or 'RST' flag set (the 'established' keyword). In essence, it blocks all TCP answers to connections that have been initiated from ports higher than 1024. All other traffic will be permitted.

Best regards,

Peter

Bronze

Re: Please help me explaining following two access list

Hi Peter

I just got a quick question.

access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo

My understanding is :

Any packet that has any source address, uses icmp, has destination address in 10.1.1.0/24 should be denied. i omitted " echo" as i don't know where it fits.

Could you please help me with that ?

Thanks

Bronze

Re: Please help me explaining following two access list

Here is my guess.

Deny all icmp packets from any source that request echo reply from any host in 10.1.1.0/24 .

Am i correct?

Tthanks

Cisco Employee

Re: Please help me explaining following two access list

Hello Sarah,

You got it correct - that one particular line denies ICMP packets that are

1.) sent from any source (any)

2.) go to 10.1.1.0/24 network (10.1.1.0 0.0.0.255)

3.) their type is ECHO - this is the message type of PING request

The ICMP messages do not have ports like TCP or UDP do. They have only types. If you want to match an ICMP message of a particular type, you write its name at the end of the access list entry like the one here.

Best regards,

Peter

148
Views
5
Helpful
4
Replies
CreatePlease to create content