Solved: ACL Issue

libra_ali786 · ‎01-08-2020

I am trying to block 192.168.0.0 to 192.168.3.255 network by standard ACL but permit the 192.168.4.0 and 10.10.10.0 network. My ACL access-list 15 deny 192.168.0.0 0.0.3.255 , but unfortunaitly i unable to ping from my 192.168.4.0 network also when i try to ping from 10.10.10.0 geting the

R1#ping 20.20.20.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

My R1 Configuration

R1#

!
!
!
interface Loopback1
no ip address
shutdown
!
interface FastEthernet0/0
ip address 192.168.0.254 255.255.255.0
duplex half
!
interface GigabitEthernet1/0
ip address 10.10.10.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface FastEthernet4/0
ip address 192.168.1.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet4/1
ip address 192.168.2.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet5/0
ip address 192.168.3.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet5/1
ip address 192.168.4.254 255.255.255.0
duplex auto
speed auto
!
router eigrp 1
network 10.10.10.0 0.0.0.255
network 192.168.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

R2#

interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface GigabitEthernet1/0
ip address 10.10.10.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface FastEthernet4/0
ip address 20.20.20.254 255.255.255.0
ip access-group 15 out
duplex auto
speed auto
!
interface FastEthernet4/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet5/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet5/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 1
network 10.10.10.0 0.0.0.255
network 20.20.20.0 0.0.0.255
no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
access-list 15 deny 192.168.0.0 0.0.3.255
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

Note : I ahve only one ACL.

Jaderson Pessoa · ‎01-08-2020

@libra_ali786

Your acl need a "permit" statement, because there is a implicity deny under it.

access-list 15 deny 192.168.0.0 0.0.3.255

access-list 15 permit ip any any

add the command above in your acl and test again.

Jaderson Pessoa
*** Rate All Helpful Responses ***

View solution in original post

Jaderson Pessoa · ‎01-08-2020

you're welcome. If possible, mark as solved. It will help other people with the same doubt.

Good look :)

Jaderson Pessoa
*** Rate All Helpful Responses ***

View solution in original post

Jaderson Pessoa · ‎01-08-2020

@libra_ali786

Your acl need a "permit" statement, because there is a implicity deny under it.

access-list 15 deny 192.168.0.0 0.0.3.255

access-list 15 permit ip any any

add the command above in your acl and test again.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Georg Pauwen · ‎01-08-2020

On a side note, the 'ip' keyword is not available on a standard access list.

access-list 15 permit ip any any

So you need to use:

access-list 15 permit any any

libra_ali786 · ‎01-08-2020

Thanks @Jaderson Pessoa you are right. I am forget to apply permit command.

Jaderson Pessoa · ‎01-08-2020

you're welcome. If possible, mark as solved. It will help other people with the same doubt.

Good look :)

Jaderson Pessoa
*** Rate All Helpful Responses ***

Georg Pauwen · ‎01-08-2020

Hello,

it is very unclear what you are trying to accomplish:

--> I am trying to block 192.168.0.0 to 192.168.3.255 network by standard ACL but permit the 192.168.4.0 and 10.10.10.0 network. My ACL access-list 15 deny 192.168.0.0 0.0.3.255

Both the 192.168.0.0 and 192.168.3.0 subnets are connected to the same router, R1, while your access list is configured on R2.

What exactly do you want to block on which router ?

paul driver · ‎01-08-2020

Hello

@libra_ali786 wrote:

I am trying to block 192.168.0.0 to 192.168.3.255 network by standard ACL but

permit the 192.168.4.0 and 10.10.10.0 network. My ACL access-list 15 deny 192.168.0.0 0.0.3.255 , but unfortunaitly i unable to ping from my 192.168.4.0 network also when i try to ping from 10.10.10.0 geting the

R1#ping 20.20.20.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

The above is an icmp unreachable response message from your ping with a code probably stating of host unreachable due to your current access-list.

What you are requiring with that current acl is not specific enough, If you wish to negate access from 192.168.3.0/24 subnet to 192.168.0.0/16 it would be most applicable to deny it this traffic as close to the source as possible so that would mean applying an acl on R1 fa5/0 interface with an extended access-list

Example:

ip access extened ACL_in
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any

ip access extened ACL_out
deny ip any 192.168.0.0 0.0.255.255
permit ip any any

int fa5/0
ip access-group ACL_in IN
ip access-group ACL_out OUT

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul