November 25th, 2003, 02:30 AM
Cisco 1700 configuration problems
I have this network security problem I can't wrap my brain around. I will attach an image of the network layout so hopefully people can see what I'm getting at. My access rules must be configured as follow using Cisco 1700 series routers.
- Workstaions 1 and 2 (subnet 192.168.5.0/24) are on the management network. Any device on this network can access any other device on the network
- Workstations on Eva and Boaz LANs are not permitted outside of thier subnet except to access the file server
- Each router can telnet to the other routers and access any other router on the network.
I have satisfied all of these conditions except two. I can telnet to any router from anywhere, but that I can solve in a little while. My big problem is in allowing workstation 2 to initiate communication with any other device while blocking all access from Eva and Boaz LANs. If I filter traffic coming from these LANs to this workstation, I am also unable to send a reply. I must configure this network so that Eva and Boaz LANs can be pinged from workstation 2, however no workstations except for the file server may ping workstation 2.
I am trying access rules such as
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
on centre router. This will allow outbound traffic from subnet 192.168.5.0/24, however echo replies are not permitted back in. Two-way communication cannot be established with this rule. If I permit traffic the other way, then all workstations may initiate communications with workstation 2.
What access rule will allow workstation 2 to initiate communications with hosts on Eva and Boaz LANs, but not allow Eva and Boaz LANs to initiate communication with workstation 2?
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError