From: ccie lab (ccie_lab@xxxxxxxxxxx)
Date: Mon Jun 12 2000 - 20:15:20 GMT-3
Here is the issure which seems to be simple but couldn't be solved by only
using ACL "in" on all intrfaces.
R1:s1 ---- s0:R2:s1 ----- s0:R3 (w/EIGRP routing protocol)
|---------------------->
R1 telnets to R3
apply ACL 100 on R2 only !
acl 100 permit eigrp any any
acl 100 permit TCP any any eq telnet
Following are the uotput:
Telnet worked fine without applying any ACLs on any interface of R2.
If applying "acl 100" on s0:R2 as "in" only, telnet worked fine.
If applying "acl 100" on R2:s1 as "in" only, terlnet won't work at all.
>From the "debug ip pack " on R2, the package from R3:s0 (source ip) to
R1:s1 (destination ip) was denied ! It seems to be the returned path
for the telnet was not working on R2 even it had been permitted --
(...TCP any any eq telnet)!
What I had done to try solving this issure are:
1. using IOS 11.2(20), ISO 12.0 -- same result.
2. using different routers (c25xx) -- same result.
3. Using http ( TCP 80 ) in stead of telnet (TCP 23) in ACL -- same
results.
4. Looking for Cisco web site and CD documents -- no clue at all.
Putting this issure on this group is the last resort to find the answer
or to find something wrong either with cisco IOS (hope not) or there
might be something I did not really understand about the "in" ACL.
Thanks for your time reading this question !
James Z
7:30 p.m.
Mon.
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:41 GMT-3