From: Blankenship Mr Gary C (BlankenshipGC@xxxxxxxxxxxxxxx)
Date: Wed Dec 01 1999 - 23:33:06 GMT-3
Ben:
! a can ping c
permit icmp host <a ip address> host <c ip address> echo
!c can't ping a
! no action required if you deny icmp echo-reply with the default deny
ip any any
! a can telnet to c
permit tcp host <a ip address> host <c ip address> established
permit tcp host <a ip address> host <c ip address> eq 23
! a can traceroute c
! if host a is cisco router use the following
permit udp host <a ip address> host <c ip address> gt 1023
! if host is Microsoft host the first line of this access list is
sufficient to allow ICMP echo
all other traffic denied.
Here is your access list:
access-list 101 permit icmp host <a ip address> host <c ip address>
echo
access-list 101 permit tcp host <a ip address> host <c ip address>
established
access-list 101 permit tcp host <a ip address> host <c ip address> eq
23
access-list 101 permit udp host <a ip address> host <c ip address> gt
1023 ! if host a is Cisco router
Gary Blankenship - CCIE #5009, MCSE
Senior Network Engineer
Network Security Engineer
DSN: 315 645-0669
Commercial: 81 611 745-0669
blankenshipgc@nocfwd.usmc.mil
-----Original Message-----
From: Ben Rife [mailto:brife@bignet.net]
Sent: Wednesday, December 01, 1999 6:42 PM
To: ccielab@groupstudy.com
Subject: Access-list
Hey Everyone,
I'm having trouble with the following senario:
hosta ---------hostb-----------hostc
s0 s1
I want an outbound access-list on hostb s1.
a can ping c
c can't ping a
a can telnet to c
a can traceroute c
all other traffic denied.
I'm having problems with getting the traceroute to work.
Can someone give me a quick config?
Thanks,
Ben
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:21:57 GMT-3