Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
1
Helpful
3
Replies

ACL question

Go to solution
jasonfaas
Level 1
Level 1

‎02-25-2024 01:47 PM - last edited on ‎03-01-2024 10:09 PM by Community Manager

Hey all.  I was messing around with packet tracer and a standard ACL assignment and got to creating different ACLs and putting them in different ports and directions just to get a better feel and I came to a situation where something didnt make sense.  In this exercise, I created an ACL:

permit host 192.168.100.100

deny any

And just for fun, I put it on the F0/0 (circled red) router interface in the out direction (basically back to the web server).  I know this isnt correct, I was just checking to see what type of behavior would occur.  The intent eventually was to only allow the web server to ping PC2, which I know would require to put it on the Eth0/0/0 out interface.  Once I did this, I couldnt ping PC2.  What I BELIEVE is happening is that the ping is getting TO PC2, but it cannot return due to the

deny any

command.  I assume I would have to add a

permit host 192.168.10.3

before the

deny any

to make this work correct? 

Labels:
Preview file
36 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
David Ruess
VIP
VIP

‎02-25-2024 02:03 PM

Hello,

 

That is correct. Also to utilize  "The intent eventually was to only allow the web server to ping PC2" you would need an Extended ACL to match on protocols as well. With a standard ACL you can only match on source IP address regardless what it is trying to achieve.

 

-David

View solution in original post

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to David Ruess

‎02-25-2024 04:39 PM

To expand a bit on what @David Ruess describes, with an extended ACL you could match on ICMP type, i.e. restrict to just ping request and/or ping reply.

View solution in original post

3 Replies 3

Go to solution
David Ruess
VIP
VIP

‎02-25-2024 02:03 PM

Hello,

 

That is correct. Also to utilize  "The intent eventually was to only allow the web server to ping PC2" you would need an Extended ACL to match on protocols as well. With a standard ACL you can only match on source IP address regardless what it is trying to achieve.

 

-David

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to David Ruess

‎02-25-2024 04:39 PM

To expand a bit on what @David Ruess describes, with an extended ACL you could match on ICMP type, i.e. restrict to just ping request and/or ping reply.

Go to solution
jasonfaas
Level 1
Level 1

‎02-25-2024 05:39 PM - last edited on ‎03-01-2024 10:10 PM by Community Manager

Thank you.  I was just wanting to make sure that it was the return trip for the ping that was getting blocked.  I wasnt sure if the

permit

command would cover it both ways, even though the ACL is directional. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card