The next sections show
various extended-access-list examples, one providing Internet
mail to a network device and another extended access list providing
Domain Name System (DNS) and ping (ICMP echo requests and ICMP echo
replies).
 |
 |
Lab
Activity |
| |
In
this lab, you will learn the usage of
standard access control lists. |
|
|
|
Providing Internet Mail
In Figure ,
Ethernet interface 1 is part of a Class B network with the address
128.88.0.0, and the mail host address is 128.88.1.2. The keyword established
is used only for the TCP protocol to indicate an established
connection. A match occurs if the TCP datagram has the ACK or RST
bits set, indicating that the packet belongs to an existing
connection. If the ACK is not set, and the SYN is set, someone on
the Internet is initializing the session, in which case the packet
is denied.
Providing DNS and Ping
Figure
also permits name/domain server packets and ICMP echo and
echo-reply packets.
The two middle lines permit UDP and TCP domain name services. The
last two lines in the access list section allow ICMP echo and echo-reply messages. These are
the messages used for the
ping
commands.
The DNS typically uses a UDP transport, but TCP can be used where
large quantities of information are being returned. For this reason,
the filter explicitly permits DNS over both UDP and TCP.
|