Cisco 7100 Series Spezifikationen PDF herunterladen (Seite 98)

Step 4—Configuring Cisco IOS Firewall Features

Cisco 7100 Series VPN Configuration Guide

4-26

For inbound access lists, after receiving a packet, the Cisco IOS software checks the source

address of the packet against the access list. If the access list permits the address, the

software continues to process the packet. If the access list rejects the address, the software

discards the packet and returns an “ICMP Host Unreachable” message.

For outbound access lists, after receiving and routing a packet to a controlled interface, the

software checks the destination address of the packet against the access list. If the access

list permits the address, the software transmits the packet. If the access list rejects the

address, the software discards the packet and returns an “ICMP Host Unreachable”

message.

When you apply an access list that has not yet been deﬁned to an interface, the software

acts as if the access list has not been applied to the interface and will accept all packets. Be

aware of this behavior if you use undeﬁned access lists as a means of security in your

network.

Verifying Extended Access Lists Are Applied Correctly

To verify the conﬁguration:

• Enter the show ip interface EXEC command to conﬁrm the access list is applied

correctly (inbound and outbound) on the interfaces.

hq-sanjose# show ip interface

FastEthernet0/1 is up, line protocol is up

Internet address is 10.2.2.2

Inbound access list is 112

-Display text omitted-

Serial2/0 is up, line protocol is up

Internet address is 172.16.2.2

Outgoing access list is 112

-Display text omitted-

Tips

If you have trouble, ensure that you speciﬁed the correct interface when you applied the

access list.

1 2 ... 93 94 95 96 97 98 99 100 101 102 103 ... 111 112

Keine Kommentare

Cisco 7100 Series Spezifikationen Seite 98