Solved: Re: ACCESS-CONTROL LIST - Page 2

catalinmatei112 · ‎01-11-2024

I have 3 departments, each have a router and 10 pc's, and I have to configure access-control list based on the below exercises:

1.first department should have access to second but not to third

2.second department should not have access to any departments

3.third department should have access to all departments.

I did the first exercise, and I don't know how to do the rest. This subject is new for me

I can share the file if you need, an explanation or something will be useful. Thank you!

catalinmatei112 · ‎01-12-2024

I mean,first 2 works properly but third still can't access first two

paul driver · ‎01-12-2024

Hello

@catalinmatei112 wrote:
The access between departments still doesn't working,
I mean,first 2 works properly but third still can't access first two

Humm.. It works for me, I did edit the file when i first uploaded it as i attached the wrong one, can you try and download the PT again from here and test.

the access go as follows:

rtr0/sw0 lan can access rtr1/sw1 lan but NOT rtr2/sw2 lan
rtr1/sw1 lan cannot access either rtr0/sw0 or rtr2/sw2 lans
rtr2/sw2 lan can 0 access rtr0/sw0 & rtr1/sw1 lans

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

catalinmatei112 · ‎01-12-2024

Ok,I have just one request,can You give me the commands for this project?I mean I saw the access-list and all but I want to implement it again in another projects,so that will be very useful for me..If I'm not bothering You too much..I want to start at the very beginning,to understand every concept step by step.Thank You so much.Have a nice evening!

paul driver · ‎01-12-2024

Hello
TBH that would be a lot to explain as no two networks will be exactly the same so the connectivity for that network can vary ( static routing, dynamic routing such as eigrp/ospf/isis/bgp etc..

The basic concept in this instance is that the extended access-list (ACL is controlling the access between the lan networks.

rtr0/sw0 lan can access rtr1/sw1 lan but NOT rtr2/sw2 lan (acl applied inbound on wan interface for rtr0) -- this negates rtr1 lans from initiating tcp/icmp traffic towards rtr0 lan)

ip access-list extended ACL
permit tcp 196.240.19.0 0.0.0.255 any established
permit icmp 196.240.19.0 0.0.0.255 any echo-reply
deny ip 196.240.19.0 0.0.0.255 any
permit ip any any
rtr1/sw1 lan cannot access either rtr0/sw0 or rtr2/sw2 lans
no acl applied
rtr2/sw2 lan can 0 access rtr0/sw0 & rtr1/sw1 lans (acl applied inbound on wan interface for rtr2 -- this negates the other lans from initiating tcp/icmp traffic towards rtr2 lan)

ip access-list extended ACL
permit tcp 196.240.17.0 0.0.0.255 any established
permit icmp 196.240.17.0 0.0.0.255 any echo-reply
deny ip 196.240.17.0 0.0.0.255 any
permit tcp 196.240.19.0 0.0.0.255 any established
permit icmp 196.240.19.0 0.0.0.255 any echo-reply
deny ip 196.240.19.0 0.0.0.255 any
permit ip any any

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

catalinmatei112 · ‎01-21-2024

Hi again,sorry for bothering,I have a question,I used your access-lists and I discovered that when I try to ping an PC from second department to first department,I can do this but I don't want to..so..is there any solution to solve definitively this project?

catalinmatei112 · ‎01-22-2024

So I created a new project and I implemented your instructions,like before..but now everything is wrong I can access everything from every department..I don't know why..and I'm very upset because this still doesn't work

catalinmatei112 · ‎01-22-2024

I did everything like before but now is not working anymore..and I can't figure why

catalinmatei112 · ‎01-12-2024

still error:))))).The third department is a problem but it's ok you helped me a lot

paul driver · ‎01-21-2024

Hello

@catalinmatei112 wrote:

Hi again,sorry for bothering,I have a question,I used your access-lists and I discovered that when I try to ping an PC from second department to first department,I can do this but I don't want to..so..is there any solution to solve definitively this project?

The acl I supplied was base on your OP but maybe I mis-read the requirements:
Bld1 can reach Bl2 but not Bld 3
Bld2 cannot reach either Bld1/3
Bld3 can reach all Blds

Can you share the PT file you are currently running highlighting the areas requiring connectivity, I had the following:

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

catalinmatei112 · ‎01-22-2024

And one little detail,when I'm closing the file,and I reopen it it gives me deny between any department