[c-nsp] Access-list application
Volodymyr Yakovenko
vovik at dumpty.org
Tue Sep 21 19:27:29 EDT 2004
On Tue, Sep 21, 2004 at 05:36:10PM -0400, Rodney Dunn wrote:
>Never tried it with a loopback.
>
>Is that packet matches for in or out?
Only inbound ACL actualy matches packets.
So your statement about outbound ACLs is right.
>You have the ACL configured in both directions
>with the same src/dst.
>
>On Tue, Sep 21, 2004 at 10:33:03PM +0300, Volodymyr Yakovenko wrote:
>> On Tue, Sep 21, 2004 at 02:02:39PM -0400, Rodney Dunn wrote:
>> >On Tue, Sep 21, 2004 at 11:15:39PM +0530, Amol Sapkal wrote:
>> >> Quick question: Does an interface access-list apply to traffic
>> >> generated from a router? Say a ping, if icmp is blocked, or a telnet
>> >> to a site on port 80, if port 80 is blocked.
>> >
>> >On egress from the router no.
>>
>> It does work for Loopbacks:
>>
>> interface Loopback1
>> ip address 172.21.255.2 255.255.255.255
>> ip access-group NOME in
>> ip access-group NOME out
>> h323-gateway voip interface
>> h323-gateway voip id dp-gk1 ipaddr 172.21.255.1 1719
>> h323-gateway voip h323-id dp-msc-cis2
>> h323-gateway voip tech-prefix 1#
>> ip access-list extended NOME
>> deny tcp host 172.21.255.2 host 172.21.255.2 eq 1720
>> permit ip any any
>>
>> dp-msc-cis2#sh ip access-lists NOME
>> Extended IP access list NOME
>> deny tcp host 172.21.255.2 host 172.21.255.2 eq 1720 (36 matches)
>> permit ip any any (36 matches)
>>
>> >Why? Because it's assumed the the router sending a packet
>> >out is always a valid one.
>> >
>> >We considered an option for them to match on the traffic
>> >but since the below workaround does the job it never
>> >went further.
>> >
>> >You can force it to do by defining a route-map, match
>> >the traffic, configure "ip local policy <route-map".
>> >
>> >Rodney
>> >
>> >
>> >>
>> >> Detailed: If no, why?
--
Regards,
Volodymyr.
More information about the cisco-nsp
mailing list