cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
710
Views
1
Helpful
3
Replies

ACL question

jasonfaas
Level 1
Level 1

Hey all.  I was messing around with packet tracer and a standard ACL assignment and got to creating different ACLs and putting them in different ports and directions just to get a better feel and I came to a situation where something didnt make sense.  In this exercise, I created an ACL:

permit host 192.168.100.100

deny any

And just for fun, I put it on the F0/0 (circled red) router interface in the out direction (basically back to the web server).  I know this isnt correct, I was just checking to see what type of behavior would occur.  The intent eventually was to only allow the web server to ping PC2, which I know would require to put it on the Eth0/0/0 out interface.  Once I did this, I couldnt ping PC2.  What I BELIEVE is happening is that the ping is getting TO PC2, but it cannot return due to the

deny any

command.  I assume I would have to add a

permit host 192.168.10.3

before the

deny any

to make this work correct? 

2 Accepted Solutions

Accepted Solutions

Hello,

 

That is correct. Also to utilize  "The intent eventually was to only allow the web server to ping PC2" you would need an Extended ACL to match on protocols as well. With a standard ACL you can only match on source IP address regardless what it is trying to achieve.

 

-David

View solution in original post

To expand a bit on what @David Ruess describes, with an extended ACL you could match on ICMP type, i.e. restrict to just ping request and/or ping reply.

View solution in original post

3 Replies 3

Hello,

 

That is correct. Also to utilize  "The intent eventually was to only allow the web server to ping PC2" you would need an Extended ACL to match on protocols as well. With a standard ACL you can only match on source IP address regardless what it is trying to achieve.

 

-David

To expand a bit on what @David Ruess describes, with an extended ACL you could match on ICMP type, i.e. restrict to just ping request and/or ping reply.

jasonfaas
Level 1
Level 1

Thank you.  I was just wanting to make sure that it was the return trip for the ping that was getting blocked.  I wasnt sure if the

permit

command would cover it both ways, even though the ACL is directional. 

Review Cisco Networking for a $25 gift card