i do not understand example

Discussion in 'Cisco' started by voytas, Sep 11, 2006.

  1. voytas

    voytas Guest

    hell,

    in pix 6.0 configutarion guide i found this:

    "
    In the next example, dmz1 interface users are restricted from web
    browsing on other interfaces, but one host at 192.168.1.2 has web
    access. Put the port you want to restrict users from after the
    destination address.
    The following example shows these commands:
    access-list acl_dmz1 deny tcp any any eq www
    access-list acl_dmz1 deny tcp host 192.168.1.2 any eq www
    access-group acl_dmz1 in interface dmz1
    "

    i do not understand why in second access-list is 'deny' if the
    discription tells that user from 192.168.1.2 has web access? i thought
    that there shuld be 'permit'!
     
    voytas, Sep 11, 2006
    #1
    1. Advertising

  2. In article <>,
    voytas <> wrote:

    >in pix 6.0 configutarion guide i found this:


    >"
    >In the next example, dmz1 interface users are restricted from web
    >browsing on other interfaces, but one host at 192.168.1.2 has web
    >access. Put the port you want to restrict users from after the
    >destination address.
    >The following example shows these commands:
    >access-list acl_dmz1 deny tcp any any eq www
    >access-list acl_dmz1 deny tcp host 192.168.1.2 any eq www
    >access-group acl_dmz1 in interface dmz1
    >"


    >i do not understand why in second access-list is 'deny' if the
    >discription tells that user from 192.168.1.2 has web access? i thought
    >that there shuld be 'permit'!


    You are right, and also the order should be reversed:

    access-list acl_dmz1 permit tcp host 192.168.1.2 any eq www
    access-list acl_dmz1 deny tcp any any eq www
    access-group acl_dmz1 in interface dmz1

    except that you should likely also permit outgoing dns queries.
     
    Walter Roberson, Sep 11, 2006
    #2
    1. Advertising

  3. voytas

    voytas Guest

    this error is in 'Step 14-Add Outbound Access Lists'
    second example in 'Restricting Users from Starting Connections'
    in guide at cisco site!

    http://www.cisco.com/en/US/products...on_guide_chapter09186a008008cd36.html#1020980

    they should fix it. for begginers it is more confusing!



    Walter Roberson napisal(a):
    > In article <>,
    > voytas <> wrote:
    >
    > >in pix 6.0 configutarion guide i found this:

    >
    > >"
    > >In the next example, dmz1 interface users are restricted from web
    > >browsing on other interfaces, but one host at 192.168.1.2 has web
    > >access. Put the port you want to restrict users from after the
    > >destination address.
    > >The following example shows these commands:
    > >access-list acl_dmz1 deny tcp any any eq www
    > >access-list acl_dmz1 deny tcp host 192.168.1.2 any eq www
    > >access-group acl_dmz1 in interface dmz1
    > >"

    >
    > >i do not understand why in second access-list is 'deny' if the
    > >discription tells that user from 192.168.1.2 has web access? i thought
    > >that there shuld be 'permit'!

    >
    > You are right, and also the order should be reversed:
    >
    > access-list acl_dmz1 permit tcp host 192.168.1.2 any eq www
    > access-list acl_dmz1 deny tcp any any eq www
    > access-group acl_dmz1 in interface dmz1
    >
    > except that you should likely also permit outgoing dns queries.
     
    voytas, Sep 11, 2006
    #3
  4. voytas

    James Guest

    Yes it's completly wrong - you can tell Cisco by filling out the
    Feedback Form at the bottom of the page. I did this recently and they
    mailed me back a few weeks later to say that they had corrected the
    document.

    James

    voytas wrote:
    > this error is in 'Step 14-Add Outbound Access Lists'
    > second example in 'Restricting Users from Starting Connections'
    > in guide at cisco site!
    >
    > http://www.cisco.com/en/US/products...on_guide_chapter09186a008008cd36.html#1020980
    >
    > they should fix it. for begginers it is more confusing!
    >
    >
    >
    > Walter Roberson napisal(a):
    > > In article <>,
    > > voytas <> wrote:
    > >
    > > >in pix 6.0 configutarion guide i found this:

    > >
    > > >"
    > > >In the next example, dmz1 interface users are restricted from web
    > > >browsing on other interfaces, but one host at 192.168.1.2 has web
    > > >access. Put the port you want to restrict users from after the
    > > >destination address.
    > > >The following example shows these commands:
    > > >access-list acl_dmz1 deny tcp any any eq www
    > > >access-list acl_dmz1 deny tcp host 192.168.1.2 any eq www
    > > >access-group acl_dmz1 in interface dmz1
    > > >"

    > >
    > > >i do not understand why in second access-list is 'deny' if the
    > > >discription tells that user from 192.168.1.2 has web access? i thought
    > > >that there shuld be 'permit'!

    > >
    > > You are right, and also the order should be reversed:
    > >
    > > access-list acl_dmz1 permit tcp host 192.168.1.2 any eq www
    > > access-list acl_dmz1 deny tcp any any eq www
    > > access-group acl_dmz1 in interface dmz1
    > >
    > > except that you should likely also permit outgoing dns queries.
     
    James, Sep 12, 2006
    #4
  5. voytas

    voytas Guest

    ok, i used that form and i am waiting.
     
    voytas, Sep 12, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    3
    Views:
    466
  2. KreepyHalo

    i do not understand

    KreepyHalo, Jun 29, 2003, in forum: MCSD
    Replies:
    1
    Views:
    988
    Kline Sphere
    Jun 30, 2003
  3. Ivan Holcombe

    do not understand?

    Ivan Holcombe, Feb 11, 2004, in forum: Computer Support
    Replies:
    4
    Views:
    484
    Blinky the Shark
    Feb 12, 2004
  4. Ernie Werbel

    To the infidels who do not understand...

    Ernie Werbel, Sep 1, 2006, in forum: Computer Information
    Replies:
    1
    Views:
    363
    Duane Arnold
    Sep 2, 2006
  5. RichA
    Replies:
    3
    Views:
    186
    J. Clarke
    May 8, 2013
Loading...

Share This Page