i've got problem configuring Acl in 2621 cisco router
i have 2 routers and 2 switches and 4 Pcs...in each network i have 2 pcs
in the left network i have subnet 192.168.1.0/24 and interface ser0/0 ip: 4.2.2.1/30 connected to router 4.2.2.2/30
on the right side i have 192.168.2.0/24 with router 4.2.2.2/30
i want this network to prevent ping from 192.168.2.2 to 192.168.1.2 but can ping 192.168.2.3 to any
this is so simple but i don't know where i made mistake ?
this is how i configured my router in left side
i put my packet tracer file also...
Current configuration : 1011 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Rome
!
!
!
enable password class
!
!
!
!
!
!
!
!
!
!
ip name-server 0.0.0.0
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0
ip address 4.2.2.1 255.255.255.252
ip access-group 101 in
clock rate 56000
!
interface Serial0/1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.1.0 0.0.0.255 area 0
network 4.2.2.0 0.0.0.3 area 0
default-information originate
!
ip classless
!
!
access-list 101 permit icmp host 192.168.2.3 192.168.1.0 0.0.0.255 echo-reply
access-list 101 deny icmp host 192.168.2.2 host 192.168.1.2 echo-reply
access-list 101 permit icmp any any
!
!
!
!
!
logging 192.168.2.1
logging 192.168.2.2
line con 0
line vty 0
password class
login
line vty 1 4
login
!
!
!
end



PLZ answer me fast...im so confused !

fast

_________________
www.mellowd.co.uk/ccie/

With a diagram, it would be so easy to answer this.

of curse it's easy...i put packet tracer file also to see how i configured...plz reply me

I still see no diagram

_________________
www.mellowd.co.uk/ccie/

could u give me ur email address ?
i can't upload here !!

You can attach picture here...

_________________
www.mellowd.co.uk/ccie/

SO, first of all why aren't you doing this on the right-hand router, since that's the one where you appear to want to apply restrictions?
Secondly, what do you think your access list is going to do if there are only permit and deny statements for ICMP traffic? What do you think is going to happen to IP traffic that gets evaluated by that access list?
Thirdly, c'mon dude. If you've really got a CCNA this should be entry level for you.

Finally, if I've read your requirements right and my assumption on how the right-hand router is set up is correct, I'd expect you to have entered something like this:

thanx to reply...
first,that doesn't make any changes...does it ?
second no idea
third yes that's so simple but i forgot the priority of acls and im killing myself to remember..i got my certification 1.5 year ago and didn't practice
i've put ur inputs but the results are:
192.168.2.2 can ping anyone
192.168.2.3 can't ping 192.168.1.0/24
192.168.1.2 can ping 192.168.2.1 192.168.2.3
192.168.1.2 can't ping 192.168.2.2
192.168.1.3 can ping anyone
here u are :
Rome#sh acc
Extended IP access list 101
deny icmp host 192.168.2.2 host 192.168.1.2 echo-reply
permit icmp host 192.168.2.3 any echo-reply
permit ip any any (42 match(es))

Asalehipour: it makes a difference in terms of how you apply the access list; with an extended access list the closer you place it to the source of the traffic the better. It also affects the direction of traffic for the interface you apply it to. Remove the access list from the 'left' router and apply the one I listed on the 'right' router.
Secondly, if you don't have a permit ip any any at the end of the access list all traffic that is not explicitly permitted will be dropped by the implicit deny any any at the end of the access list.
Third, no worries. It shouldn't take you too long to get back up to speed. http://ciscoiseasy.blogspot.co.uk/ has lots of practice labs you can use to revise.

thanx again.
i changed acl to the right router...so the new one is this:
Milan#sh ac
Extended IP access list 101
deny icmp host 192.168.2.2 host 192.168.1.2 echo-reply
permit icmp host 192.168.2.3 any echo
permit ip any any (3 match(es))
but it's still doing wrong filter!!
192.168.2.2 can ping anyone !
192.168.2.3 can't ping anyone !!!
192.168.1.0/24 can ping anyone

is there a problem with packet tracer maybe ???

me

No PT file seen or I'am blind.

i had problem uploading file...plz give me ur email to send you directly

Just upload the picture. What exactly is the problem with that?

_________________
www.mellowd.co.uk/ccie/

when i wanna upload anything it says :
Sorry, the board attachment quota has been reached.

What exactly are you trying to upload? It's no use uploading the packet tracer file as none of us use packet tracer.

We need an image

_________________
www.mellowd.co.uk/ccie/

can't even upload image...

Then you're doing it wrong

_________________
www.mellowd.co.uk/ccie/

He might be right; just tried to attach a 4KB .png image and recieved the same error that was reported.