Buy or Renew
Buy or Renew
Join the Catalyst Center Onboarding Ask Me Anything event happening now!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
160
Views
1
Helpful
10
Replies

Configure ACL ICMP to selected network

nowak-kacper99
Level 1
Level 1

‎01-27-2025 01:37 AM - edited ‎01-27-2025 01:49 AM

Hey Im need to help and veryfication to my ACL.  In the picture is my topology and i want to make acl where all pc in vlan100 can ping all pc in vlan220 but the vlan220 cant ping vlan100, im add the vlan220 should can ping vlan120 and 20 networks 192.168.120.0 and 192.168.20.0 

could u veryfitacion my acl on vlan220 and try to help me write the acl for vlan100


ip access-list extended VLAN220_ACL
permit udp any eq bootpc any
permit icmp 192.168.100.0 0.0.0.255 192.168.220.0 0.0.0.255 echo
permit icmp 192.168.220.0 0.0.0.255 192.168.120.0 0.0.0.255 echo
permit icmp 192.168.120.0 0.0.0.255 192.168.220.0 0.0.0.255 echo
permit icmp 192.168.220.0 0.0.0.255 192.168.20.0 0.0.0.255 echo
permit icmp 192.168.20.0 0.0.0.255 192.168.220.0 0.0.0.255 echo
permit tcp any host 10.66.0.2 eq 443
permit tcp any host 10.66.0.4 eq smtp
permit tcp any host 10.66.0.4 eq pop3
permit tcp any host 10.66.0.4 eq 995
permit udp any host 10.66.0.5 eq domain
deny ip any any

Diagram bez tytułu.drawio.png

Labels:
0 Helpful
10 Replies 10

MHM Cisco World
VIP
VIP

‎01-27-2025 01:50 AM

Where you want to add this ACL can you point that in your topology

MHM

0 Helpful

nowak-kacper99
Level 1
Level 1
In response to MHM Cisco World

‎01-27-2025 01:53 AM

Iwant to add it on this two routers ip access-list extended VLAN220_ACL is now on upper router and it shout to stay there

nowakkacper99_0-1737971542440.png

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to nowak-kacper99

‎01-27-2025 02:01 AM

Direction of this vlan220 ACL? And in which interface you apply? 

MHM

0 Helpful

nowak-kacper99
Level 1
Level 1
In response to MHM Cisco World

‎01-27-2025 02:03 AM - edited ‎01-27-2025 02:06 AM

ACL is IN, and its int gig0/0.20

nowakkacper99_0-1737972346860.png

nowakkacper99_1-1737972366592.png

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to nowak-kacper99

‎01-27-2025 02:12 AM

Tcp/udp line keep it

For icmp lines all are wrong 

You want vlan100 to talk to vlan220 but vlan220 can not talk to vlan 100 then 

Permit icmp <vlan 220 subnet><vlan100 subnet> echo-reply<<<- only this need

MHM

0 Helpful

nowak-kacper99
Level 1
Level 1
In response to MHM Cisco World

‎01-27-2025 02:15 AM

And if i want to vlan220 talk with 120 and 20 i should to write permit valn220 subnet vlan120 subnet do the same to vlan20 and the other way around do for router with vlan20 and 120 yes?

0 Helpful

nowak-kacper99
Level 1
Level 1
In response to MHM Cisco World

‎01-27-2025 02:18 AM

I do this, but i can still ping vlan100 from vlan220


ip access-list extended VLAN220_ACL
permit udp any eq bootpc any
permit icmp 192.168.220.0 0.0.0.255 192.168.100.0 0.0.0.255 echo-reply
permit icmp 192.168.220.0 0.0.0.255 192.168.120.0 0.0.0.255 echo
permit icmp 192.168.120.0 0.0.0.255 192.168.220.0 0.0.0.255 echo
permit icmp 192.168.220.0 0.0.0.255 192.168.20.0 0.0.0.255 echo
permit icmp 192.168.20.0 0.0.0.255 192.168.220.0 0.0.0.255 echo
permit tcp any host 10.66.0.2 eq 443
permit tcp any host 10.66.0.4 eq smtp
permit tcp any host 10.66.0.4 eq pop3
permit tcp any host 10.66.0.4 eq 995
permit udp any host 10.66.0.5 eq domain
deny ip any any

MHM Cisco World
VIP
VIP
In response to nowak-kacper99

‎01-27-2025 02:38 AM

Wr config and close and open lab and check 

ACL is correct

MHM

0 Helpful

Devaa
Level 1
Level 1

‎01-27-2025 02:20 AM

Hope VLAN220_ACL is configured (called) in VLAN 220 in inbound direction. 

If yes, then the below lines in your ACL is not required as the source will always be vlan 220 subnet. 

ip access-list extended VLAN220_ACL
 permit icmp 192.168.100.0 0.0.0.255 192.168.220.0 0.0.0.255 echo
 permit icmp 192.168.120.0 0.0.0.255 192.168.220.0 0.0.0.255 echo
 permit icmp 192.168.20.0 0.0.0.255 192.168.220.0 0.0.0.255 echo

 So, you can remove those lines and add the required lines to allow icmp reply from vlan 220 to vlan 100. 

ip access-list extended VLAN220_ACL
    10 permit udp any eq bootpc any
    20 permit icmp 192.168.100.0 0.0.0.255 192.168.220.0 0.0.0.255 echo   --> Remove and update here
    30 permit icmp 192.168.220.0 0.0.0.255 192.168.120.0 0.0.0.255 echo
    40 permit icmp 192.168.120.0 0.0.0.255 192.168.220.0 0.0.0.255 echo
    50 permit icmp 192.168.220.0 0.0.0.255 192.168.20.0 0.0.0.255 echo
    60 permit icmp 192.168.20.0 0.0.0.255 192.168.220.0 0.0.0.255 echo

conf t
ip access-list extended VLAN220_ACL
 no 20
 20 permit icmp 192.168.220.0 0.0.0.255 192.168.100.0 0.0.0.255 echo-reply
 end

 You can also remove seq no 40 and 60 if not needed. 

With this change, all PCs in vlan100 can ping all pc in vlan220 but the vlan220 can't ping vlan100. Hope this will help. 

0 Helpful

nowak-kacper99
Level 1
Level 1
In response to Devaa

‎01-27-2025 03:13 AM

Okey its worked but ive got one more question,
My IPsec tunel is working but why im not got a access to NAT network.

Im add a packet tracer project

testowe.zip
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card