02-02-2011, 07:36 AM
The condition statement can go after the source and/or destination in an extended ACL.
Imagine the path an SSH packet will take. It will start from a host in the 172.16.16.0/28 (Yes the "/20" in the image is wrong) with a somewhat random source port and 172.16.48.63 as the destination address and port 22 as the destination port. It will hit ACL 100 on the way into the router and be permitted through by the first line.
On the way back the original source IP and port will now be the destination IP and port and the original destination IP and port will be the source. The packet will then hit ACL 101 and be permitted by the first rule. Then it will finally reach the host.
Same thing again with the Telnet packet except this time at the ACL 100 it will be stopped by the implicit deny statement.
It won't match line one, the packet's port is 23, not 22.
It won't match line two because that line is looking for a SOURCE port of 23 (Telnet) but the source port will be somewhat random port.
Hope that clears it up.
Imagine the path an SSH packet will take. It will start from a host in the 172.16.16.0/28 (Yes the "/20" in the image is wrong) with a somewhat random source port and 172.16.48.63 as the destination address and port 22 as the destination port. It will hit ACL 100 on the way into the router and be permitted through by the first line.
On the way back the original source IP and port will now be the destination IP and port and the original destination IP and port will be the source. The packet will then hit ACL 101 and be permitted by the first rule. Then it will finally reach the host.
Same thing again with the Telnet packet except this time at the ACL 100 it will be stopped by the implicit deny statement.
It won't match line one, the packet's port is 23, not 22.
It won't match line two because that line is looking for a SOURCE port of 23 (Telnet) but the source port will be somewhat random port.
Hope that clears it up.