From: Naushad Prasla (naushad.prasla@xxxxxxxxx)
Date: Wed Dec 01 1999 - 23:49:26 GMT-3
I don't know the exact config syntax, but your access-list should look
like this.
I assume that hostb is actually a Router.
out bound extended access-list on hostb se 1
access-list permit source address of hosta "echo request" destination
address of hostc any
access-list permit source address of hosta any destination address of
hostc telnet
in bound extended access-list on hostb se 1
access-list permit source address of hostc "echo reply" destination
address of hosta any
access-list permit source address of hostc telnet destination address of
hosta any
Trace route is based on ICMP echo request and echo reply messages where
Time to live (TTL) parameter is set to 1. Your echo-request and
echo-reply filters should take care of this issue. Host A will be
traceroute to Host C. But Host C will be able to traceroute to Host A
because echo-requests are implicitly denied on an inbound access-list.
I believe this can only be accomlished using both in-bound and out-bound
access-lists.
Naushad Prasla
Ben Rife wrote:
> Hey Everyone, I'm having trouble with the following senario: hosta
> ---------hostb-----------hostc s0 s1 I want an
> outbound access-list on hostb s1.a can ping cc can't ping aa can
> telnet to ca can traceroute call other traffic denied. I'm having
> problems with getting the traceroute to work.Can someone give me a
> quick config? Thanks, Ben
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:21:57 GMT-3