Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2139
Views
0
Helpful
4
Comments

Extended Access Control List Problem

ashu_genius
Level 1
Level 1

‎10-01-2010 05:51 AM - edited ‎03-01-2019 04:33 PM

Hello Guys

                  I am very frustrated today with the extended control list , here is the topology in the diagram below , i want that the pc2 which has a ip

of 192.168.40.2 /24 cant ping the router 1 interfaces to accomplish this, i configure Router 1 with the acl of

access-list 102 deny   icmp any host 192.168.40.2
access-list 102 permit ip any any

and put that acl on s1/1 interface

interface Serial1/1
ip address 192.168.20.1 255.255.255.0
ip access-group 102 in
serial restart-delay 0
clock rate 64000

after implement this configuration the pc 2(192.168.40.2)can still ping the router 1 , but pc2 (192.168.40.2)cant the the router2 s1/0 interface which has a ip address 192.168.10.2 .

Untitled.png

i dont know what wrong with my acl configuration i know u guys can help me.

Please replay me soon

WARM REGARDS

ASHISH SOOD

Labels:
0 Helpful
Comments
Collin Clark
VIP Alumni
VIP Alumni
‎10-01-2010 06:32 AM

Here's a hint: Check which interface the ACL should be applied too or the ACL direction.

ashu_genius
Level 1
Level 1
‎10-01-2010 07:15 AM

sorry i didnt get u

gopiredd
Community Member
‎10-01-2010 07:14 PM

Hi Ashish,

If i understand correctly , you want the PC 2 not to ping the Router 1's interface. If this is correct here is the configuration.

access-list 102 deny  icmp  host 192.168.40.2 host 192.168.20.1
access-list 102 permit ip any any

and apply that acl on s1/1 interface

interface Serial1/1
ip address 192.168.20.1 255.255.255.0
ip access-group 102 in

Note that only the ICMP traffic destined to Router 1's 192.168.20.1 ip address sourced from PC 2 will be dropped.

If you want to drop all the ICMP traffic originated from PC2 then use the following:

access-list 102 deny  icmp  host 192.168.40.2 any
access-list 102 permit ip any any

Gopinath

ashu_genius
Level 1
Level 1
‎10-01-2010 09:29 PM

Thanks Gopinath

after configure exactly what u say , the pc2 still can ping the R1 s1/1 interface but r1 is not reply all the icmp echo packet to pc2 , it replay only the certain packets... below is the output of the vpcs 2

VPCS 2 >ping 192.168.20.1
192.168.20.1 icmp_seq=1 time=32.000 ms
192.168.20.1 icmp_seq=2 timeout
192.168.20.1 icmp_seq=3 time=40.000 ms
192.168.20.1 icmp_seq=4 timeout
192.168.20.1 icmp_seq=5 time=39.000 ms

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents