Solved: Re: ACL

muos · ‎01-15-2023

I'm a total newbie so sorry this

I'm using Cisco Packet Tracer I'm simply trying to stop ICMP ping from a PC (192.168.3.4) to the Router 2811 (192.168.4.1)

access-list 101 deny icmp 192.168.4.3 0.0.0.0

I get Incomplete

access-list 101 deny icmp 192.168.4.3 0.0.0.0

echo if I add echo I get Invalid Input

Any help welcome

balaji.bandi · ‎01-15-2023

If you are looking only host to host

try below :

access-list 101 deny icmp host 192.168.4.3 host 192.168.4.1 echo

Note : make sure you attached to interface to deny

example :

interface x/x

ip access-group 101 in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

MHM Cisco World · ‎01-16-2023

access-list 101 permit ip 192.168.2.x 0.0.0.255 any

View solution in original post

balaji.bandi · ‎01-15-2023

If you are looking only host to host

try below :

access-list 101 deny icmp host 192.168.4.3 host 192.168.4.1 echo

Note : make sure you attached to interface to deny

example :

interface x/x

ip access-group 101 in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

muos · ‎01-15-2023

Balaji thank you

MHM Cisco World · ‎01-15-2023

if you use standard then you can

if you use extended acl then you need

here in your ACL you use extended and use only souece IP & mask, you need destination IP & mask

Joseph W. Doherty · ‎01-15-2023

To add a point to @MHM Cisco World 's info, when using numbered access lists, under 100 are standard (just source), 100 and over are extended (source and destination). As you were using ACL number 101, this is why you keep getting an "incomplete" error.

Also, similar requirement if using named ACLs, i.e. standard named ACLs only have source, extended named ACLs have source and destination.

BTW, are you familiar with "?" when entering IOS commands?

muos · ‎01-15-2023

How very helpful, Joseph thank you very much

muos · ‎01-16-2023

sorry for being so lame

access-list 101 deny icmp host 192.168.4.3 host 192.168.4.1 echo

Then what I read if I don't add a permit I can't ping from other devices because of an explicit deny Cisco ISO added at the end of the ACL.

I've tried

access-list 101 permit ip 192.168.4.1 0.0.0.255 any ............................

no joy, sorry guy where I'm I going wrong

MHM Cisco World · ‎01-16-2023

what the direction you apply this ACL ??

muos · ‎01-16-2023

I want to block ICMP from 192.168.4.3 (PC) in to the Router on f0/0 which works

I have another network 192.168.2.x and when I ping the router it also fails... I hope that makes sense

MHM Cisco World · ‎01-16-2023

access-list 101 permit ip 192.168.4.1 0.0.0.255 any

<<- but I see 192.168.4.1 instead of 192.168.2.x

muos · ‎01-16-2023

it works sir! thank you is a global setting to allow all regardless of the IP range?

muos · ‎01-16-2023

That should read "is there a global

MHM Cisco World · ‎01-16-2023

access-list 101 permit ip 192.168.2.x 0.0.0.255 any