From: Radioactive Frog (pbhatkoti@gmail.com)
Date: Sat Apr 08 2006 - 21:28:17 GMT-3
Hi Ali,
gr8 guy, It works in this way. I was applying at the serial interface.
Do u know any good URL for ACL ?
Thanks again.
Frog
On 4/9/06, Ali AlKaff <asalkaff@msn.com> wrote:
>
> You didn't use the same ACL and you didn't apply it on the interface
> facing
> the 192.168.1.0/24 network. Apply this config:
>
> interface Serial0/0
> no ip access-group 100 in
> !
> no access-list 100
> access-list 100 deny tcp 192.168.1.0 0.0.0.255 host 192.168.2.3 neq telnet
> access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> !
> interface FastEthernet0/0
> ip access-group 100 in
> !
> end
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Radioactive Frog
> Sent: Saturday, 08 April 2006 20:47
> To: Ali AlKaff
> Cc: Cisco certification
> Subject: Re: what is the best efficient way ---> ACL question
>
> Hi Ali,
> Thanks for your reply.
> Tried that but no success. have a look of config below:-
> Any suggestion ?
>
>
> ROUTER-1
> ----------------
>
>
> Router-1 #sh run
> Building Configuration...
>
> Current Configuration : 824
> !
> version 12.2
> no service password-encryption
> no service udp-small-servers
> no service tcp-small-servers
> !
> hostname Router
> !
> !
> !
> !
> interface FastEthernet0/0
> ip address 192.168.1.1 255.255.255.0
> no ip directed-broadcast
> !
> !
> interface FastEthernet0/1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> !
> interface Serial0/0
> ip address 100.100.100.1 255.255.255.0
> no ip directed-broadcast
> ip access-group 100 in
> clockrate 64000
> !
> interface Serial0/1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface Serial0/2
> no ip address
> no ip directed-broadcast
> shutdown
> !
> no ip classless
> ip route 0.0.0.0 0.0.0.0 100.100.100.2
> !
> access-list 100 deny tcp 192.168.1.0 0.0.0.255 host 192.168.2.3 eq www
> access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> !
> end
>
> Router1#
>
>
> Router-2: (192.168.2.0 subnet).
> -------------
>
>
> remote#sh run
> Building Configuration...
>
> Current Configuration : 641
> !
> version 12.2
> no service password-encryption
> no service udp-small-servers
> no service tcp-small-servers
> !
> hostname remote
> !
> !
> !
> !
> interface FastEthernet0/0
> ip address 192.168.2.1 255.255.255.0
> no ip directed-broadcast
> !
> !
> interface FastEthernet0/1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> !
> interface Serial0/0
> ip address 100.100.100.2 255.255.255.0
> no ip directed-broadcast
> !
> interface Serial0/1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface Serial0/2
> no ip address
> no ip directed-broadcast
> shutdown
> !
> no ip classless
> ip route 0.0.0.0 0.0.0.0 100.100.100.1
> !
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> !
> end
>
> remote#
>
>
>
> On 4/9/06, Ali AlKaff <asalkaff@msn.com> wrote:
> >
> > I couldn't exactly figure out the layer 3 topology from your question,
> but
> > assuming that PC1 is on 192.168.1.0/24 and PC2 is on the other side on
> > 192.168.2.0/24, I think you'd go like this on ROUTER-1:
> >
> > ip access-list extended ACL
> > deny tcp 192.168.1.0 0.0.0.255 host 192.168.2.3 neq telnet
> > permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> > !
> > interface [facing PC1]
> > ip access-group ACL in
> > !
> > end
> >
> >
> > HTH,
> >
> > Ali
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Radioactive Frog
> > Sent: Saturday, 08 April 2006 18:22
> > To: Cisco certification
> > Subject: what is the best efficient way ---> ACL question
> >
> > Hi Group,
> >
> > The below is a scenario:-
> >
> >
> >
> >
> >
>
>
PC1-----------------------ROUTER-1----------serial-------------------Router-
> > 2
> > ------Switch
> > -------------PC-2 (192.168.2.3)
> >
> > |--------------------PC-3 (192.168.2.4)
> >
> > --------------------192.168.1.0/24--------
> > -------------------------192.168.2.0/24-----------------------
> >
> > What is the best way to achieve the following goals without route map or
> > prefix list.
> > Just with plain extended list ? IN/OUT where which interface ?
> >
> > 1) From 192.168.1.0 to 192.168.2.0 - all types of traffic allowed.
> > 2) From 192.168.1.0 to 192.168.2.3 - should have only telnet access,
> all
> > other type of traffic shouldn't allowed to 192.168.2.3
> >
> > Answer with explanation are welcome, however any idea would be also
> good.
> >
> >
> > Regards,
> >
> > Frog..
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:56 GMT-3