I found this line in among many other ACL lines in my PIX. It looks different than the rest of them. It's at the end of the rest of the ACL lines, including being after access-list acl-out deny ip any any.
access-list 110 permit ip 165.138.236.0 255.255.255.0 165.139.2.0 255.255.255.0
What does it do, and what are each of the parts? The rest of my ACL lines end with something like any eq 1234.
Thanks in advance!
-
It's allowing all IP traffic from the 165.138.236.0/24 subnet to the 165.139.2.0/24 subnet. It's probably being used as a match list on a VPN tunnel or to prevent NAT on tunneled traffic.
The number, 110, is just an arbitrary number to identify the access list. "Permit" indicates that it will permit the traffic (as opposed to deny). "IP" indicates to match the IP protocol (as opposed to a protocol number, or TCP, UDP, ICMP, etc). The 165.138.236.0 and 255.255.255.0 identify the source network. The 165.139.2.0 and 255.255.255.0 identify the destination network.
For more in depth info, have a look at: http://www.networkclue.com/routing/Cisco/access-lists/index.aspx
eleven81 : A stellar answer. Thank you!From Evan Anderson -
It allows IP traffic in general from 165.138.236.0/24 to 165.139.2.0/24.
The
eq 1234in the other rules specify ports, but there are no ports in IP. To match a port, you have to specify TCP or UDP in the rule.From MikeyB -
That ACL is to allow all the traffic from one subnet to the other one on the same line.
From Ariel Antigua -
You should look at the rest of the config to see if there is a rule such as VPN or NAT referencing ACL 110
doing a:
sh run | i 110will give you all the lines thave have 110 - i realize there is the posibility of fluff from ip address ect, but it shouldn't be too much.
From Zypher -
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/about.html
From XTZ
0 comments:
Post a Comment