Solved: Re: I can't seem to find what is the problem..

Latte · ‎11-03-2020

hello there

my topology is inside the packet tracer i have attached below

before there is an acl everything works fine but after i put acl on one of the router it doesn't work. i have to have one side can ping with every pc while the other side can't ping

i have attach the packet tracer below for your checking.

where am i getting wrong here?

thank you in advance

regards

Georg Pauwen · ‎11-08-2020

Hello,

for one way PING access, you need to deny icmp echos and allow everything else. Let's say you want 150.10.20.0/23 (the right side) to ping 150.10.10.0/23 and 150.10.0.0/23 (the left side), but not vice versa, you would need the access list below and apply it to the serial interface (revised PT file attached):

ip access-list extended OUT_ACL
deny icmp 150.10.10.0 0.0.1.255 150.10.20.0 0.0.1.255 echo
deny icmp 150.10.0.0 0.0.1.255 150.10.20.0 0.0.1.255 echo
permit ip any any

View solution in original post

Jean-Pierre de Villeres · ‎11-07-2020

Hi Latte,

As you mentioned everything was running fine before putting the access-list configurations. Could you please check the proper ACL criteria were added?

Source address of the traffic
Destination address of the traffic
Upper-layer protocol

Please note there is an implicit deny at the end so if it does not match the ACL, the traffic will get dropped.

Please refer to the official Cisco documentation on ACL: https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

Latte · ‎11-08-2020

hello Jean-Pierre de Villeres

The ACL I that put is

Access-list 100 deny IP {destination} {source}

As I try the same configuration in the lab it works fine with no problem as I only added ACL to block one way while the other can pass through.

The only problem is that when it comes to packet tracer something went wrong like my OSPF route is changed when I check from " show ip ospf neighbour"

Is there anything you can help me?

Thank you in advance

Georg Pauwen · ‎11-08-2020

Hello,

for one way PING access, you need to deny icmp echos and allow everything else. Let's say you want 150.10.20.0/23 (the right side) to ping 150.10.10.0/23 and 150.10.0.0/23 (the left side), but not vice versa, you would need the access list below and apply it to the serial interface (revised PT file attached):

ip access-list extended OUT_ACL
deny icmp 150.10.10.0 0.0.1.255 150.10.20.0 0.0.1.255 echo
deny icmp 150.10.0.0 0.0.1.255 150.10.20.0 0.0.1.255 echo
permit ip any any

Latte · ‎11-08-2020

hello Georg Pauwen,

Thank you for this information and it is really helpful as everything work as how I imagine it.

I can't thank you enough for helping me and I hope you will get something good in return.

Cheers!