From: Paul Chen (cpjchen@starhub.net.sg)
Date: Tue Oct 21 2003 - 05:19:48 GMT-3
Hi All,
I have the following scenario,
R6 ----------FR -------------R13
I am configuring a reflexive access-list whereby i allow only telnet
sessions INITIATED FROM R6 to R13.
However, I am unable to get it to work. I already have tested and it works
normally without the access lists applied.
r6#telnet 173.3.200.13
Trying 173.3.200.13 ...
% Connection timed out; remote host not responding
R6:
interface Serial1/1
bandwidth 1544
ip address 173.3.200.6 255.255.255.240
ip access-group infilter in
ip access-group outfilter out
encapsulation frame-relay
frame-relay map ip 173.3.200.13 613 broadcast
ip access-list extended infilter
permit ospf any any
permit tcp any any eq bgp
permit icmp any any
evaluate tcptraffic
ip access-list extended outfilter
permit tcp any any eq telnet reflect tcptraffic
----------------------------------------------------------------------------
------------------------------------------------------------------------
Telnet initiated from R13 to R6 works using a different set of rules :
R6 :
ip access-list extended infilter
permit ospf any any
permit tcp any any eq bgp
permit icmp any any
permit tcp any any eq telnet reflect tcptraffic
ip access-list extended outfilter
evaluate tcptraffic
r6#sh access-lists
Standard IP access list 66
10 permit 208.1.1.0, wildcard bits 15.0.0.0 (44 matches)
Extended IP access list infilter
10 permit ospf any any (6 matches)
20 permit tcp any any eq bgp (4 matches)
30 permit icmp any any
40 permit tcp any any eq telnet reflect tcptraffic
Extended IP access list outfilter
10 evaluate tcptraffic
Reflexive IP access list tcptraffic
permit tcp host 173.3.6.6 eq telnet host 173.3.200.13 eq 11003 (19
matches)
(time left 297)
Any help appreciated.
Thanks,
Paul
This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:53:05 GMT-3