04-03-2002 05:54 PM - edited 03-01-2019 09:09 PM
Is there a way to deny host A from pinging host B while allowing host B to ping host A using standard ACLs?
And also, is there also a way to deny host A from telneting to host B while allowing host B to telnet into host A using extended ACLs?
04-05-2002 06:43 AM
On host A: (assume host A IP is 10.1.1.1 & host B IP is 20.1.1.1)
access-list 101 deny tcp host 10.1.1.1 host 20.1.1.1 eq icmp
access-list 101 permit ip host 10.1.1.1 host 20.1.1.1
If this is applied to Router A then ICMP access from Host A will be denied, but all other traffic will be permitted.
Remember that both hosts must be seperated by the router, if they are both on the same subnet then the router won't come into play
Hope this has helped
Daniel,
04-25-2002 02:58 AM
You can't deny just ping traffic with a standard access list, it is all or nothing.
Also, the extended ACL to allow the one-way telneting would be:
access-l 100 deny tcp host A host B eq telnet
access-l 100 permit ip any any
assuming you have a configuration something like hostA - rtr - hostB then access-l 100 should be put on the inbound interface closest to hostA.
This would stop the telnet traffic from A to B because the the source address is A, destination address B and destination port is telnet (23). It would have no effect on telnet from B to A because the access-l is inbound and there would not be a match on source & destination addresses anyway.
04-29-2002 12:16 PM
The previous 2 answers are completely wrong.
First, icmp does not use TCP. So, the access-list 'acc 101 deny tcp .. eq icmp' is a BIG mistake.
Then, yes you can achieve what you want. Just filter icmp echo packet but not echo reply.
ie:
acc 101 deny icmp host A host B echo
acc 101 permit ip any any
For telnet, you would do :
acc 101 deny tcp host A host B eq telnet
acc 101 permit ip any any
05-01-2002 01:06 AM
gdufour
Perhaps you could, for the benefit of the rest of the universe, point out the 'wrong' part of my answer.
I did not suggest a solution for ping because the question was about preventing pings with a standard ACL, not the extended ACL that you propose.
The solution for preventing telnet is the same as you have suggested.
Obviously ICMP does not use tcp, I did not suggest otherwise.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide