Re: Access-list

From: Mike McSpedon (Mike@xxxxxxxx)
Date: Thu Dec 02 1999 - 00:15:04 GMT-3

• Next message: Jeffrey Wacaser: "Re: Route & Bridge on same interface"
• Previous message: Naushad Prasla: "Re: Access-list"
• Maybe in reply to: Ben Rife: "Access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
   It was good practice for me to whip this up. Good luck on the test!
   -Mike
   At 07:41 PM 12/1/99 -0500, Ben Rife wrote:
>>>>
   
     Hey Everyone,
     I'm having trouble with the following senario:
     hosta ---------hostb-----------hostc
     s0 s1
     I want an outbound access-list on hostb s1.
     a can ping c
     c can't ping a
     a can telnet to c
     a can traceroute c
     all other traffic denied.
     I'm having problems with getting the traceroute to work.
     Can someone give me a quick config?
     Thanks,
     Ben
     
   <<<<
term len 400
Host_A#sh ru
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Host_A
!
!
ip subnet-zero
!
!
process-max-time 200
!
interface Ethernet0
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial0
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 no ip mroute-cache
 cdp enable
!
interface Serial0.201 point-to-point
 ip address 140.10.1.2 255.255.255.0
 no ip directed-broadcast
 no arp frame-relay
 frame-relay interface-dlci 201
!
interface Serial1
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial2
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial3
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial4
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial5
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial6
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial7
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial8
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial9
 no ip address
 no ip directed-broadcast
 shutdown
!
interface BRI0
 no ip address
 no ip directed-broadcast
 shutdown
!
router eigrp 10
 network 140.10.0.0
!
ip classless
!
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
!
end

Host_A#ping 140.10.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 140.10.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 116/116/116 ms
Host_A#trace 140.10.2.2

Type escape sequence to abort.
Tracing the route to 140.10.2.2

  1 140.10.1.1 28 msec 28 msec 32 msec
  2 140.10.2.2 60 msec 56 msec *
Host_A#
Host_A#
Host_B#
Host_B#
Host_B#s term len 499
Host_B#sh run
Building configuration...

Current configuration:
!
version 11.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Host_B
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
 no lat enabled
!
interface Serial0
 no ip address
 encapsulation frame-relay
 no ip mroute-cache
!
interface Serial0.1 point-to-point
 description to Host_A
 ip address 140.10.1.1 255.255.255.0
 frame-relay interface-dlci 102
!
interface Serial0.2 point-to-point
 description to Host_B
 ip address 140.10.2.1 255.255.255.0
 ip access-group 100 out
 frame-relay interface-dlci 103
!
interface Serial1
 no ip address
 shutdown
!
interface Serial2
 no ip address
 shutdown
!
interface Serial3
 no ip address
 shutdown
!
interface Serial4
 no ip address
 shutdown
!
interface Serial5
 no ip address
 shutdown
!
interface Serial6
 no ip address
 shutdown
!
interface Serial7
 no ip address
 shutdown
!
interface Serial8
 no ip address
 shutdown
!
interface Serial9
 no ip address
 shutdown
!
interface BRI0
 no ip address
 shutdown
!
router eigrp 10
 network 140.10.0.0
!
ip classless
!
access-list 100 permit eigrp any any
access-list 100 permit icmp 140.10.0.0 0.0.255.255 host 140.10.2.2 echo
access-list 100 deny icmp 140.10.0.0 0.0.255.255 host 140.10.2.2 echo-reply
access-list 100 permit tcp any host 140.10.2.2 eq telnet
access-list 100 deny udp 140.10.0.0 0.0.255.255 any gt 33455
access-list 100 permit udp 140.10.0.0 0.0.255.255 any gt 33433
access-list 105 deny icmp any any log
access-list 105 deny udp any any log
access-list 105 deny ip any any log
!
!
line con 0
line aux 0
line vty 0 4
 login
!
end

Host_B#sh ip ro
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
       U - per-user static route, o - ODR

Gateway of last resort is not set

     140.10.0.0/24 is subnetted, 3 subnets
C 140.10.2.0 is directly connected, Serial0.2
D 140.10.3.0 [90/2195456] via 140.10.2.2, 00:23:31, Serial0.2
C 140.10.1.0 is directly connected, Serial0.1
Host_B#
Host_B#
Host_B#h sh access-l
Extended IP access list 100
    permit eigrp any any
    permit icmp 140.10.0.0 0.0.255.255 host 140.10.2.2 echo (5 matches)
    deny icmp 140.10.0.0 0.0.255.255 host 140.10.2.2 echo-reply
    permit tcp any host 140.10.2.2 eq telnet (35 matches)
    deny udp 140.10.0.0 0.0.255.255 any gt 33455
    permit udp 140.10.0.0 0.0.255.255 any gt 33433 (3 matches)
Extended IP access list 105
    deny icmp any any log
    deny udp any any log (3 matches)
    deny ip any any log
Host_B#
Host_B#
Host_B#
Host_B#
Host_A#
Host_C#
Host_C#term len 400
Host_C#sh ru
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Host_C
!
enable password cisco
!
ip subnet-zero
!
!
process-max-time 200
!
interface Ethernet0
 ip address 140.10.3.1 255.255.255.0
 no ip directed-broadcast
 no keepalive
!
interface Serial0
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 no ip mroute-cache
 cdp enable
!
interface Serial0.301 point-to-point
 ip address 140.10.2.2 255.255.255.0
 no ip directed-broadcast
 frame-relay interface-dlci 301
 frame-relay interface-dlci 301
!
interface Serial1
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial2
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial3
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial4
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial5
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial6
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial7
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial8
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial9
 no ip address
 no ip directed-broadcast
 shutdown
!
interface BRI0
 no ip address
 no ip directed-broadcast
 shutdown
!
router eigrp 10
 network 140.10.0.0
!
ip classless
!
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password cisco
 login
!
end

Host_C#ping 140.10.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 140.10.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Host_C#

• Next message: Jeffrey Wacaser: "Re: Route & Bridge on same interface"
• Previous message: Naushad Prasla: "Re: Access-list"
• Maybe in reply to: Ben Rife: "Access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:21:57 GMT-3