hi

i mean while using access list how can we decide which protocol to go about for tcp/udp..say we use tcp for 21(ftp)...

thanks

Hi there,

If you are using a IOS-based box, see this link (this is for 12.4):

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080430e5b.html

Here's an example:

!

access-list 100 permit tcp any host 192.0.2.20 eq 21

!

interface Serial0

ip access-group 100 in

!

If you are using a PIX-based (>6.2) box/blade, see this link (this is for 7.0):

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080450b93.html

Here's an example:

!

access-list inet-acl extended permit tcp any host 192.0.2.20 eq 21

!

access-group inet-acl in interface outside

!

hi

i mean how to choose tcp or udp based on the port...

You need to understand the protocol, have a look through the RFCs or similar. Alternatively add a specific "deny ip any any log" rule at the end of your ACL, this will log any packets that don't match your ACL permit statements showing you the protocol and port number that's been denied.

You can also set up a packet filter on a router by creating an access-list and then running a debug on the access list

# access-list 1 permit 1.1.1.1

# debug ip packet detail 1

# logging mon debug

# ter mon

This will display any packets passing through your router from IP address 1.1.1.1 so you can sniff the traffic and decipher which protocols/port numbers are being used.

HTH

Paddy

hi all

all the answers are out of the context what i had meant.my ques is how to use tcp or udp in an access list say for ex to deny ftp we use

access-list 10 deny tcp any host 102.1.1.1 eq ftp

here we've taken tcp.like this how to go cbout which service (tcp or udp) we should use for different

ports(0-65535)

I don't really understand your post then,

Are you asking how to use a service that is not defined as a well known service in an access-list (e.g. www, ftp, telnet etc..)

e.g. if you had a service using tcp and port 5000 it would be

# access-list 10 deny tcp any host 102.1.1.1 eq 5000

Is this what you mean?

Rgds

PJD

yes you are correct.the selection of tcp or udp ?

regards

Ok...

Here are some facts:

- Both TCP and UDP can use ports in the range 0-65535.

- There doesn't exist any way in the ACL's to specify a port without also specifying WHICH protocol this belongs to.

So..

If you want to select TCP-ports 5000 and 60000 as the destination on a incoming ACL, it would read like this:

access-list 100 permit tcp any any eq 5000

access-list 100 permit tcp any any eq 60000

And likewise for UDP/5000 and UDP/60000:

access-list 100 permit udp any eq 5000 any

access-list 100 permit udp any eq 60000 any

If you want to specify the TCP-port 3389 as the source port on a incoming ACL, it would read like this:

access-list 100 permit tcp any eq 3389 any

And likewise for UDP/3389:

access-list 100 permit udp any eq 3389 any

You can also combine the source and destination ports (source UDP/5000 to destionation UDP/6000):

access-list 100 permit udp any eq 5000 any eq 6000

And you can put in ranges of ports (source ports are all UDP-ports from 5000 to 6000):

access-list 100 permit udp any range 5000 6000 any

Or destination is all TCP-ports over 1023:

access-list 100 permit tcp any any gt 1023

You really should use the "?" character when you try to define your ACL's to see which options you can use. Do a "access-list 100 permit " and enter a question-mark and you will get a list of options... fill you what you want to use as well as a trailing space-character and question-mark.. and go on and on.. :)