|
Home > Archive > CCNA > May 2005 > Access Control List Question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Access Control List Question
|
|
|
| I have a question, please. How should a 5 line access-control list look like to prevent telnet and ping from going from one host to another?
Setup:
Router 2:
Loopback virtual hosts:
2L0 - 172.16.21.1
R2L1 - 172.16.22.1
Router 3:
Loopback virtual host: R3L0 - 172.16.31.1
Requirements:
Block ONLY ping and telnet from R3L0 to R2L0 and R2L1, but allow everything else to go between these hosts.
It should always be able to telnet and ping to the serial interfaces on router R2 from any source. It should also be able to telnet and ping to R2L0 and R2L1 from any source other than R3L0.
I know it should look something like this, but the following does not work:
access-list 101 deny tcp host 172.16.21.1 host 172.16.31.1 eq telnet
access-list 101 deny icmp host 172.16.22.1 host 172.16.31.1 eq echo
access-list 101 permit ip any any
The ACL must be 5 lines, two for one protocol, two for the second and a permit statement.
Any help is really appreciated...Thanks! | |
| JimmyD 2005-05-17, 10:23 am |
| It looks like you don't understand ACLs. You seem to be working your logic backwards. I won't give you the answer, but think of it this way:
deny telnet R3-L0 to R2-L0
deny telnet R3-L0 to R2-L1
deny ping R3-L0 to R2-L0
deny ping R3-L0 to R2-L1
permit |
|
|
|
|