All other Cisco networking related discussions.
Asalehipour
Junior Member
Posts:
95
Joined:
Mon Jul 16, 2012 12:53 pm
Certs:
Network+ | CCNA | CCNP(Switch)

ACL Problem

Mon Jul 16, 2012 1:13 pm

i've got problem configuring Acl in 2621 cisco router
i have 2 routers and 2 switches and 4 Pcs...in each network i have 2 pcs
in the left network i have subnet 192.168.1.0/24 and interface ser0/0 ip: 4.2.2.1/30 connected to router 4.2.2.2/30
on the right side i have 192.168.2.0/24 with router 4.2.2.2/30
i want this network to prevent ping from 192.168.2.2 to 192.168.1.2 but can ping 192.168.2.3 to any
this is so simple but i don't know where i made mistake ?
this is how i configured my router in left side
i put my packet tracer file also...
Current configuration : 1011 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Rome
!
!
!
enable password class
!
!
!
!
!
!
!
!
!
!
ip name-server 0.0.0.0
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0
ip address 4.2.2.1 255.255.255.252
ip access-group 101 in
clock rate 56000
!
interface Serial0/1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.1.0 0.0.0.255 area 0
network 4.2.2.0 0.0.0.3 area 0
default-information originate
!
ip classless
!
!
access-list 101 permit icmp host 192.168.2.3 192.168.1.0 0.0.0.255 echo-reply
access-list 101 deny icmp host 192.168.2.2 host 192.168.1.2 echo-reply
access-list 101 permit icmp any any
!
!
!
!
!
logging 192.168.2.1
logging 192.168.2.2
line con 0
line vty 0
password class
login
line vty 1 4
login
!
!
!
end



PLZ answer me fast...im so confused !

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: ACL Problem

Mon Jul 16, 2012 1:57 pm

fast

User avatar
Carlitos_30
Post Whore
Posts:
1222
Joined:
Mon Feb 08, 2010 9:30 am
Certs:
CCENT, CCNA,CCNP R&S

Re: ACL Problem

Mon Jul 16, 2012 6:25 pm

With a diagram, it would be so easy to answer this.

Asalehipour
Junior Member
Posts:
95
Joined:
Mon Jul 16, 2012 12:53 pm
Certs:
Network+ | CCNA | CCNP(Switch)

Re: ACL Problem

Wed Jul 18, 2012 3:15 am

of curse it's easy...i put packet tracer file also to see how i configured...plz reply me

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: ACL Problem

Wed Jul 18, 2012 3:32 am

I still see no diagram

Asalehipour
Junior Member
Posts:
95
Joined:
Mon Jul 16, 2012 12:53 pm
Certs:
Network+ | CCNA | CCNP(Switch)

Re: ACL Problem

Wed Jul 18, 2012 4:05 am

could u give me ur email address ?
i can't upload here !!

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: ACL Problem

Wed Jul 18, 2012 4:08 am

You can attach picture here...

User avatar
Halo
Post Whore
Posts:
1008
Joined:
Thu Oct 14, 2010 4:39 am
Certs:
CCNP (R&S, Security), ITILv3 Foundation

Re: ACL Problem

Wed Jul 18, 2012 4:21 am

SO, first of all why aren't you doing this on the right-hand router, since that's the one where you appear to want to apply restrictions?
Secondly, what do you think your access list is going to do if there are only permit and deny statements for ICMP traffic? What do you think is going to happen to IP traffic that gets evaluated by that access list?
Thirdly, c'mon dude. If you've really got a CCNA this should be entry level for you.

Finally, if I've read your requirements right and my assumption on how the right-hand router is set up is correct, I'd expect you to have entered something like this:
Code: Select all
access-list 101 deny icmp host 192.168.2.2 host 192.168.1.2
access-list 101 permit icmp host 192.168.2.3 any
access-list 101 permit ip any any

interface fa0/0
ip access-group 101 in

Asalehipour
Junior Member
Posts:
95
Joined:
Mon Jul 16, 2012 12:53 pm
Certs:
Network+ | CCNA | CCNP(Switch)

Re: ACL Problem

Wed Jul 18, 2012 5:14 am

thanx to reply...
first,that doesn't make any changes...does it ?
second no idea
third yes that's so simple but i forgot the priority of acls and im killing myself to remember..i got my certification 1.5 year ago and didn't practice ;)
i've put ur inputs but the results are:
192.168.2.2 can ping anyone
192.168.2.3 can't ping 192.168.1.0/24
192.168.1.2 can ping 192.168.2.1 192.168.2.3
192.168.1.2 can't ping 192.168.2.2
192.168.1.3 can ping anyone
here u are :
Rome#sh acc
Extended IP access list 101
deny icmp host 192.168.2.2 host 192.168.1.2 echo-reply
permit icmp host 192.168.2.3 any echo-reply
permit ip any any (42 match(es))

User avatar
Halo
Post Whore
Posts:
1008
Joined:
Thu Oct 14, 2010 4:39 am
Certs:
CCNP (R&S, Security), ITILv3 Foundation

Re: ACL Problem

Wed Jul 18, 2012 5:49 am

Asalehipour: it makes a difference in terms of how you apply the access list; with an extended access list the closer you place it to the source of the traffic the better. It also affects the direction of traffic for the interface you apply it to. Remove the access list from the 'left' router and apply the one I listed on the 'right' router.
Secondly, if you don't have a permit ip any any at the end of the access list all traffic that is not explicitly permitted will be dropped by the implicit deny any any at the end of the access list.
Third, no worries. It shouldn't take you too long to get back up to speed. http://ciscoiseasy.blogspot.co.uk/ has lots of practice labs you can use to revise.

Asalehipour
Junior Member
Posts:
95
Joined:
Mon Jul 16, 2012 12:53 pm
Certs:
Network+ | CCNA | CCNP(Switch)

Re: ACL Problem

Wed Jul 18, 2012 7:37 am

thanx again.
i changed acl to the right router...so the new one is this:
Milan#sh ac
Extended IP access list 101
deny icmp host 192.168.2.2 host 192.168.1.2 echo-reply
permit icmp host 192.168.2.3 any echo
permit ip any any (3 match(es))
but it's still doing wrong filter!!
192.168.2.2 can ping anyone !
192.168.2.3 can't ping anyone !!!
192.168.1.0/24 can ping anyone

is there a problem with packet tracer maybe ???

User avatar
rolon
Member
Posts:
199
Joined:
Tue May 26, 2009 1:39 pm
Certs:
CCENT

Re: ACL Problem

Wed Jul 18, 2012 8:03 am

me

User avatar
Carlitos_30
Post Whore
Posts:
1222
Joined:
Mon Feb 08, 2010 9:30 am
Certs:
CCENT, CCNA,CCNP R&S

Re: ACL Problem

Thu Jul 19, 2012 3:44 pm

No PT file seen or I'am blind.

Asalehipour
Junior Member
Posts:
95
Joined:
Mon Jul 16, 2012 12:53 pm
Certs:
Network+ | CCNA | CCNP(Switch)

Re: ACL Problem

Fri Jul 20, 2012 1:31 am

i had problem uploading file...plz give me ur email to send you directly

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: ACL Problem

Fri Jul 20, 2012 2:16 am

Just upload the picture. What exactly is the problem with that?

Asalehipour
Junior Member
Posts:
95
Joined:
Mon Jul 16, 2012 12:53 pm
Certs:
Network+ | CCNA | CCNP(Switch)

Re: ACL Problem

Fri Jul 20, 2012 3:17 am

when i wanna upload anything it says :
Sorry, the board attachment quota has been reached.

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: ACL Problem

Fri Jul 20, 2012 3:20 am

What exactly are you trying to upload? It's no use uploading the packet tracer file as none of us use packet tracer.

We need an image

Asalehipour
Junior Member
Posts:
95
Joined:
Mon Jul 16, 2012 12:53 pm
Certs:
Network+ | CCNA | CCNP(Switch)

Re: ACL Problem

Fri Jul 20, 2012 3:25 am

can't even upload image...

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: ACL Problem

Fri Jul 20, 2012 3:33 am

Then you're doing it wrong

User avatar
Halo
Post Whore
Posts:
1008
Joined:
Thu Oct 14, 2010 4:39 am
Certs:
CCNP (R&S, Security), ITILv3 Foundation

Re: ACL Problem

Fri Jul 20, 2012 4:28 am

mellowd wrote:Then you're doing it wrong

He might be right; just tried to attach a 4KB .png image and recieved the same error that was reported.

'
Next

Return to Cisco General

Who is online

Users browsing this forum: Yahoo [Bot] and 13 guests