Re: acl lists in router wich command.

isyanci86 · ‎11-22-2010

Hi Everyone,

If you all look at the attachment image,

What im trying to get worked is that the 82.170.250.10 must ping with the webserver but not with the 10.0.0.10 (intern network)

ive got this problem fixed by giving a ACL command in the intern_router on the serial interface by typing the command:

access-list 1 deny 82.170.250.0 0.0.0.255
access-list 1 permit any

But when i give this ACL command on the intern_router the client 10.0.0.10 client cannot ping with 82.170.250.10

What ACL command do i have to use and on wich interface to make sure that 10.0.0.10 client can ping with 82.170.250.10 and not the otherway around..

Or what is the best option for this to accomplish.

Thanks already!

cadet alain · ‎11-22-2010

can you be a litlle bit clearer please.

What do you want exactly? pinging webserver in dmz from inside network only and not from outside network? Is that so? and on which router do you want to implement this?

Regards.

Don't forget to rate helpful posts.

Jon Marshall · ‎11-22-2010

access-list 101 permit icmp host 82.170.250.10 host 10.0.0.10 echo-reply

access-list 101 deny ip host 82.170.250.10 host 10.0.0.10

access-list 101 permit ip any any

on intern2 router -

int fa0/0 <-- this is the interface connecting to the switch1 in your diagram

ip access-group 101 in

note the above will stop 82.170.250.10 pinging 10.0.0.10 but it won't stop it -

1) pinging any other 10.0.0.x host

2) connecting to any 10.0.0.x host including 10.0.0.10 on any other port.

If you want to deny access from 82.170.250.10 to all 10.0.0.0/24 addresses for anything other than ping reply to 10.0.0.10 -

access-list 101 permit icmp host 82.170.250.10 host 10.0.0.10 echo-reply

access-list 101 deny ip host 82.170.250.10 10.0.0.0 0.0.0.255 <-- i'm assuming the subnet is 10.0.0.0 255.255.255.0

access-list 101 permit ip any any

Jon

isyanci86 · ‎11-22-2010

Thnx alot Jon! and Cadetalain for the quicke responses!

Im gonna try this at home tonight Jon, hope it will work. So i can delete the other ACL command now

isyanci86 · ‎11-23-2010

Hi Jon,

Thnx again for you reply it worked perfectly for me,

i just forgot one thing to ask, wich command can i use to make sure that all clients from 10.0.0.1 can ping with 82.170.250.10.

denying 82. network ping to 10.0 worked just fine, but how about that 10. all can ping to 82.

Thnx again for you reply!

Jon Marshall · ‎11-24-2010

Assuming you are using the 2nd acl ie.

access-list 101 permit icmp host 82.170.250.10 host 10.0.0.10 echo-reply

access-list 101 deny ip host 82.170.250.10 10.0.0.0 0.0.0.255

access-list 101 permit ip any any

just change the first line of the acl to -

access-list 101 permit icmp host 82.170.250.10 host 10.0.0.0 0.0.0.255 echo-reply

so your full acl now looks like -

access-list 101 permit icmp host 82.170.250.10 host 10.0.0.0 0.0.0.255 echo-reply

access-list 101 deny ip host 82.170.250.10 10.0.0.0 0.0.0.255

access-list 101 permit ip any any

Jon

isyanci86 · ‎11-24-2010

Hi Jon,

The command does'nt work. Could it be possible that it won't work because its not a HOST but NETWORK?

Router(config)#access-list 101 permit icmp host 82.170.250.10 host 10.0.0.0 0.0.0.255 echo-reply
^
% Invalid input detected at '^' marker.

The marker is point to the subnett part in the command. I thought maybe its because the command is for a host not for the network?

isyanci86 · ‎11-24-2010

Hi Jon

Never mind i got it fixed. I just dident typ the 0.0.0.255 echo-reply and now it worked!

thnx alot!

isyanci86 · ‎11-23-2010

It worked!

Jon thanks alot! it worked for me, and the second option about the whole network and not only the client that worked also.

So thanks again!