[c-nsp] Access-list application

Volodymyr Yakovenko vovik at dumpty.org
Tue Sep 21 15:33:03 EDT 2004 

On Tue, Sep 21, 2004 at 02:02:39PM -0400, Rodney Dunn wrote:
>On Tue, Sep 21, 2004 at 11:15:39PM +0530, Amol Sapkal wrote:
>> Quick question: Does an interface access-list apply to traffic
>> generated from a router? Say a ping, if icmp is blocked, or a telnet
>> to a site on port 80, if port 80 is blocked.
>
>On egress from the router no.

It does work for Loopbacks:

interface Loopback1
 ip address 172.21.255.2 255.255.255.255
 ip access-group NOME in
 ip access-group NOME out
 h323-gateway voip interface
 h323-gateway voip id dp-gk1 ipaddr 172.21.255.1 1719
 h323-gateway voip h323-id dp-msc-cis2
 h323-gateway voip tech-prefix 1#
ip access-list extended NOME
 deny   tcp host 172.21.255.2 host 172.21.255.2 eq 1720
 permit ip any any

dp-msc-cis2#sh ip access-lists NOME
Extended IP access list NOME
    deny tcp host 172.21.255.2 host 172.21.255.2 eq 1720 (36 matches)
    permit ip any any (36 matches)

>Why?  Because it's assumed the the router sending a packet
>out is always a valid one.
>
>We considered an option for them to match on the traffic
>but since the below workaround does the job it never
>went further.
>
>You can force it to do by defining a route-map, match
>the traffic, configure "ip local policy <route-map".
>
>Rodney
>
>
>> 
>> Detailed: If no, why?
>> 
>> 
>> 
>> -- 
>> Warm Regds,
>> 
>> Amol Sapkal
>> 
>> --------------------------------------------------------------------
>> An eye for an eye makes the whole world blind 
>> - Mahatma Gandhi
>> --------------------------------------------------------------------
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Regards,
Volodymyr.

More information about the cisco-nsp mailing list