Re: ACL 2 access groups on 1 interface

From: Trendkill <jpmason@xxxxxxxxx>
Date: 20 Apr 2007 06:13:56 -0700

On Apr 20, 8:03 am, "chris" <mandrake...@xxxxxxxxxxxxxxxxxxxx> wrote:

You can't establish a tcp session without bi-directional commucation
(syn, ack), so that won't do him any good until he allows the traffic
in both directions in the first place.

The 'established' keyword matches syn/ack & ack so yes, it does work. I'm
using it right now. As I said, his problem is DNS related. No UDP53 .. no
DNS.

access-list 101 permit tcp host x.x.58.16 host 172.16.0.2 eq 22
access-list 101 permit tcp host x.x.2.229 host 172.16.0.2 eq 22
access-list 101 permit tcp host x.x.234.77 host 172.16.0.2 eq 22
access-list 101 permit tcp host x.x.204.13 host 172.16.0.2 eq 22
access-list 101 permit tcp host x.x.19.50 host 172.16.0.2 eq 22
access-list 101 permit tcp host x.x.69.239 host 172.16.0.2 eq 22
access-list 101 permit tcp host x.x.82.71 host 172.16.0.2 eq 22
access-list 101 permit tcp host x.x.212.93 host 172.16.0.2 eq 22
access-list 101 permit tcp host x.x.212.194 host 172.16.0.2 eq 22
access-list 101 permit tcp host x.x.98.114 host 172.16.0.2 eq 22
access-list 101 permit tcp host x.x.210.155 host 172.16.0.2 eq 22
access-list 101 permit tcp host x.x.38.205 host 172.16.0.2 eq 22
access-list 101 permit tcp host x.x.88.20 host 172.16.0.2 eq 22
access-list 101 permit tcp host x.x.254.100 host 172.16.0.2 eq 22
access-list 101 permit tcp host x.x.133.150 host 172.16.0.2 eq 22
access-list 101 permit tcp any any established

Chris.

He doesn't have the same ACL on both in and out of the interface. It
will not work. When the traffic comes one way, itll be allowed, and
itll be blocked as it goes the other direction on the interface. I
agree with you if he had one ACL, applied to one direction, or the
same ACL applied to both directions...but not as currently configured.

.

References:
- ACL 2 access groups on 1 interface
  - From: Dustin . Seeger
- Re: ACL 2 access groups on 1 interface
  - From: Trendkill
- Re: ACL 2 access groups on 1 interface
  - From: chris
- Re: ACL 2 access groups on 1 interface
  - From: Trendkill
- Re: ACL 2 access groups on 1 interface
  - From: chris

Prev by Date: Re: routed interfaces
Next by Date: Re: Cisco 2514 and serial cables
Previous by thread: Re: ACL 2 access groups on 1 interface
Next by thread: Cisco 2514 and serial cables
Index(es):
- Date
- Thread

Relevant Pages

SYN Flood
... 3842711808:3842711808ack 2054160385 win 16384 ... I'm watching this on the -current system's public interface and on the ... -current system's public/LAN facing interface this SYN packet that isn't ... The packets occur often and from different IP addresses. ...
(freebsd-current)
Re: Vorsicht vor WinAVR!
... Hier hat dieser Schlüssel keine Vererbungsrechte, die ACL enthält ... Das System ist noch recht frisch und WinAVR ... das scheinen also die Voreinstellungen von MS zu sein. ... ACK, bei mir ist das auch so. ...
(de.sci.electronics)
IPSec tcp session stalling ( me too ) ...
... IPSEC policy requires ESP protection from NODE 1 or VPN A to NODE 2 ... tcpdump from VPN A internal interface in the case ... ... 4052971969:4052972505ack 992811526 win 6432 ...
(freebsd-net)