From: ccie lab (ccie_lab@xxxxxxxxxxx)
Date: Wed Jun 14 2000 - 23:35:44 GMT-3
Hi, first I would like to thank:
Dave Gingrich and Pamela Forsyth (CCIE #3439)
for their quick reply and helpful hint to solve the issue posted on
Monday.
Today, I spent an hour on that issue and found the solution.
First let clarify the issue to confuse no one any more.
R1:s1 --------- s0: R2 :s1 -------- s0: R3 (w/ EIGRP)
requirement:
1. only allow R1 to Telnet R3 and block any IP services.
2. use access-list (ACL) on R2 only and apply ACL with "IN " only.
My solution:
access-list 100 permit eigrp any any
access-list 100 permit TCP any eq TELNET any established
apply ACL 100 to R2:s1 as "IN"
access-list 101 permit eigrp any any
access-list 101 permit TCP any any eq TELNET
apply ACL 101 to R2:s0 as "IN"
That's it. I think that the trick is you have to allow reply of TCP
package to get through R2 by specifying the prot parameter of
Destination field (point to R1 -- the source of original telnet
package !
regards,
James Z
11:00 p.m.
Wed.
NYC
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:42 GMT-3