Access list to allow 2 hosts and deny others to telnet and ping

[sutini]

Hello,

Grateful if any one can provide ways with ACL to allow 2 hosts on different subnets communicate and deny others on both subnets to ping and telnet to both hosts.
Thanks in advance.

 

[ewiley]

First, the ACL on the router will only affect traffic passing _through_ the router, so it will not affect hosts on the same subnet from communicating with eachother. There should be a way of null-routing or firewalling the other hosts in the operating system of the hosts, but that's another discussion. However, I can give you an ACL for the router if you just want Host A and Host B to communicate with eachother.

We'll assume for this example, that subnet 1 is 192.168.1.0/24 and subnet 2 is 192.168.2.0/24. Host A is 192.168.1.2 and Host B is 192.168.2.2. I assume that you want other hosts from subnet 1 and subnet 2 to communicate with eachother. I'm also assuming there is one router, with each subnet on a different ethernet interface. Eth0/0 is subnet 1 and eth0/1 is subnet2.

interface eth0/0
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in

interface eth0/1
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in

access-list 101 permit ip host 192.168.1.2 host 192.168.2.2
access-list 101 deny ip host 192.168.1.2 any
access-list 101 permit ip any any

access-list 102 permit ip host 192.168.2.2 host 192.168.1.2
access-list 102 deny ip host 192.168.2.2 any
access-list 102 permit ip any any

 

[sutini]

Though I did not provide detailed info. on my network, your good assumptions more or less produced the ACL I needed and indeed solved my problem. Great stuff! Thanks a lot again.