Solved: Why not ACL in in direction not works as whitelist filter?

jiang9150 · ‎09-17-2020

As simulated by packet tracer, Router1 has three interface, which connect to three PC, and the IP is 192.168.1.1, 192.168.2.1, 192.168.3.1 respectively. 192.168.1.1 pc1 <-fa1 Router1 fa2->pc2 192.168.2.1 fa3|--> pc3 192.168.3.1 The acl rule set in the in direction of fa3 is as following: Router#show access-lists Extended IP access list acl3 10 permit ip 192.168.3.0 0.0.0.255 any (7068 match(es)) 20 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 30 deny ip any any What confuses me is that 192.168.2.1 can still ping to 192.168.3.1.

pmckenzie · ‎09-17-2020

what you are getting confused about is what is in the packets.

Here is a clip from your example showing that what the return address from

a ping from PC 2 (192.168.2.2) to PC 3 (192.1687.3.2) looks like. As you can see when it hits acl the IN address is 192.168.3.2 which you are explicitly denying. IF you want to block PC2 from pinging PC3 change your ACL to OUT on pc3 interface.

There are worlds out there where the sky is burning, where the sea's asleep and the rivers dream, people made of smoke and cities made of song. Somewhere there's danger, somewhere there's injustice and somewhere else the tea is getting cold" Dr Who

View solution in original post

pmckenzie · ‎09-17-2020

what you are getting confused about is what is in the packets.

Here is a clip from your example showing that what the return address from

a ping from PC 2 (192.168.2.2) to PC 3 (192.1687.3.2) looks like. As you can see when it hits acl the IN address is 192.168.3.2 which you are explicitly denying. IF you want to block PC2 from pinging PC3 change your ACL to OUT on pc3 interface.

There are worlds out there where the sky is burning, where the sea's asleep and the rivers dream, people made of smoke and cities made of song. Somewhere there's danger, somewhere there's injustice and somewhere else the tea is getting cold" Dr Who