I have this network security problem I can't wrap my brain around. I will attach an image of the network layout so hopefully people can see what I'm getting at. My access rules must be configured as follow using Cisco 1700 series routers.

- Workstaions 1 and 2 (subnet 192.168.5.0/24) are on the management network. Any device on this network can access any other device on the network

- Workstations on Eva and Boaz LANs are not permitted outside of thier subnet except to access the file server

- Each router can telnet to the other routers and access any other router on the network.

I have satisfied all of these conditions except two. I can telnet to any router from anywhere, but that I can solve in a little while. My big problem is in allowing workstation 2 to initiate communication with any other device while blocking all access from Eva and Boaz LANs. If I filter traffic coming from these LANs to this workstation, I am also unable to send a reply. I must configure this network so that Eva and Boaz LANs can be pinged from workstation 2, however no workstations except for the file server may ping workstation 2.

I am trying access rules such as

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

on centre router. This will allow outbound traffic from subnet 192.168.5.0/24, however echo replies are not permitted back in. Two-way communication cannot be established with this rule. If I permit traffic the other way, then all workstations may initiate communications with workstation 2.

What access rule will allow workstation 2 to initiate communications with hosts on Eva and Boaz LANs, but not allow Eva and Boaz LANs to initiate communication with workstation 2?