Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > i do not understand example

Reply
Thread Tools

i do not understand example

 
 
voytas
Guest
Posts: n/a
 
      09-11-2006
hell,

in pix 6.0 configutarion guide i found this:

"
In the next example, dmz1 interface users are restricted from web
browsing on other interfaces, but one host at 192.168.1.2 has web
access. Put the port you want to restrict users from after the
destination address.
The following example shows these commands:
access-list acl_dmz1 deny tcp any any eq www
access-list acl_dmz1 deny tcp host 192.168.1.2 any eq www
access-group acl_dmz1 in interface dmz1
"

i do not understand why in second access-list is 'deny' if the
discription tells that user from 192.168.1.2 has web access? i thought
that there shuld be 'permit'!

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-11-2006
In article <(E-Mail Removed). com>,
voytas <(E-Mail Removed)> wrote:

>in pix 6.0 configutarion guide i found this:


>"
>In the next example, dmz1 interface users are restricted from web
>browsing on other interfaces, but one host at 192.168.1.2 has web
>access. Put the port you want to restrict users from after the
>destination address.
>The following example shows these commands:
>access-list acl_dmz1 deny tcp any any eq www
>access-list acl_dmz1 deny tcp host 192.168.1.2 any eq www
>access-group acl_dmz1 in interface dmz1
>"


>i do not understand why in second access-list is 'deny' if the
>discription tells that user from 192.168.1.2 has web access? i thought
>that there shuld be 'permit'!


You are right, and also the order should be reversed:

access-list acl_dmz1 permit tcp host 192.168.1.2 any eq www
access-list acl_dmz1 deny tcp any any eq www
access-group acl_dmz1 in interface dmz1

except that you should likely also permit outgoing dns queries.

 
Reply With Quote
 
 
 
 
voytas
Guest
Posts: n/a
 
      09-11-2006
this error is in 'Step 14-Add Outbound Access Lists'
second example in 'Restricting Users from Starting Connections'
in guide at cisco site!

http://www.cisco.com/en/US/products/...6.html#1020980

they should fix it. for begginers it is more confusing!



Walter Roberson napisal(a):
> In article <(E-Mail Removed). com>,
> voytas <(E-Mail Removed)> wrote:
>
> >in pix 6.0 configutarion guide i found this:

>
> >"
> >In the next example, dmz1 interface users are restricted from web
> >browsing on other interfaces, but one host at 192.168.1.2 has web
> >access. Put the port you want to restrict users from after the
> >destination address.
> >The following example shows these commands:
> >access-list acl_dmz1 deny tcp any any eq www
> >access-list acl_dmz1 deny tcp host 192.168.1.2 any eq www
> >access-group acl_dmz1 in interface dmz1
> >"

>
> >i do not understand why in second access-list is 'deny' if the
> >discription tells that user from 192.168.1.2 has web access? i thought
> >that there shuld be 'permit'!

>
> You are right, and also the order should be reversed:
>
> access-list acl_dmz1 permit tcp host 192.168.1.2 any eq www
> access-list acl_dmz1 deny tcp any any eq www
> access-group acl_dmz1 in interface dmz1
>
> except that you should likely also permit outgoing dns queries.


 
Reply With Quote
 
James
Guest
Posts: n/a
 
      09-12-2006
Yes it's completly wrong - you can tell Cisco by filling out the
Feedback Form at the bottom of the page. I did this recently and they
mailed me back a few weeks later to say that they had corrected the
document.

James

voytas wrote:
> this error is in 'Step 14-Add Outbound Access Lists'
> second example in 'Restricting Users from Starting Connections'
> in guide at cisco site!
>
> http://www.cisco.com/en/US/products/...6.html#1020980
>
> they should fix it. for begginers it is more confusing!
>
>
>
> Walter Roberson napisal(a):
> > In article <(E-Mail Removed). com>,
> > voytas <(E-Mail Removed)> wrote:
> >
> > >in pix 6.0 configutarion guide i found this:

> >
> > >"
> > >In the next example, dmz1 interface users are restricted from web
> > >browsing on other interfaces, but one host at 192.168.1.2 has web
> > >access. Put the port you want to restrict users from after the
> > >destination address.
> > >The following example shows these commands:
> > >access-list acl_dmz1 deny tcp any any eq www
> > >access-list acl_dmz1 deny tcp host 192.168.1.2 any eq www
> > >access-group acl_dmz1 in interface dmz1
> > >"

> >
> > >i do not understand why in second access-list is 'deny' if the
> > >discription tells that user from 192.168.1.2 has web access? i thought
> > >that there shuld be 'permit'!

> >
> > You are right, and also the order should be reversed:
> >
> > access-list acl_dmz1 permit tcp host 192.168.1.2 any eq www
> > access-list acl_dmz1 deny tcp any any eq www
> > access-group acl_dmz1 in interface dmz1
> >
> > except that you should likely also permit outgoing dns queries.


 
Reply With Quote
 
voytas
Guest
Posts: n/a
 
      09-12-2006
ok, i used that form and i am waiting.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help to understand 'array of classes' example ohaya Java 4 10-17-2005 09:13 PM
Read all of this to understand how it works. then check around on otherRead all of this to understand how it works. then check around on other thelisa martin Computer Support 2 08-18-2005 06:40 AM
don't understand this deal with const pointers in this trivial example johny smith C++ 7 07-06-2004 10:33 AM
exec example - I don't understand kepes.krisztian@peto.hu Python 3 06-29-2004 01:18 PM
TC++PL example, hard to understand torhu C++ 5 08-28-2003 08:06 PM



Advertisments