cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3297
Views
20
Helpful
7
Replies

Blocking a range of ip addresses from pinging.

chris_c987
Level 1
Level 1

Hello, I am practising a virtual day school which is soon and one task is to stop any IP address from 10.0.0.32 to 10.0.0.127 from pinging 123.123.123.123 – yet allow all other addresses.

 

123 is on a loopback with subnet /24.

 

Here is what I have come up with:

#ip access-list extended FILTER-PING
#Remark To filter networks 10.0.0.32-127 from pinging 123.123.123.123
#deny icmp 10.0.0.32 0.0.0.255 123.123.123.123 0.0.0.255 gt icmp


#permit ip any any

 

now it has an issue with any operator I use so I just went with without gt icmp.

applying it to g0/0/1 (where the 2 pcs are going to travel into) as in

pinging from either pc to 123 wont work anymore (pc0 is 10.0.0.100 and .200 for pc1)

checking the access-list is:

 

10 deny icmp 10.0.0.0 0.0.0.255 123.123.123.0 0.0.0.255 (8 match(es))

20 permit ip any any

 

Can someone explain why it goes to 0 and how do you see the 8 matches?

I have no idea what I'm doing so please help me. my brain is broken from this.

gg.png

 Topology here^

1 Accepted Solution

Accepted Solutions

Actually I believe it would. Statements in order would:

 

Allow the .1-.31 host

Deny the .1-.127 hosts (however it would only deny .32-.127 because any .1-.31 host was already permitted from the above statement

Permit everything else.

 

ip access-list extended 101

permit icmp 10.0.0.0 0.0.0.31 host 123.123.123.123

deny icmp 10.0.0.0 0.0.0.127 host 123.123.123.123

permit ip any any

 

That SHOULD work. I'm a little rust on my wildcard/subnet bits. Give it a try and let us know!

 

View solution in original post

7 Replies 7

Hello,

 

First thing is it defaulted to 10.0.0.0 because that is the network statement of the /24 address for the wildcard you entered of 0.0.0.255.

The wildcard is basically the inverse of a network mask. So 0.0.0.255 is 255.255.255.0 in subnet mask form which is /24. The network range you are trying to deny is not a /24.

 

Secondly, you blocked it from pinging the whole 123.123.123.0/24 network. According to your question you only want the host of 123.123.123.123 denied. If not and you do want the whole 123.123.123.0/24 network denied keep that as is in the ACL.

 

Try this:

 

ip access-list extended 101

deny icmp 10.0.0.0 0.0.0.127 host 123.123.123.123 log

permit ip any any

 

You can append the 'log' statement after to see the logs of the matches when the ACL is matched.

 

*Note this will block the IP range 10.0.0.0-10.0.0.127 from pinging (make sure you apply ACL it in correct direction- for an extended ACL I believe its closest to the source interface)

 

The way subnets work and the range you specified those IPs fall within a subnet with other IPs as well. If you weant to deny only that specific range of IPs you will have to be a little more creative with your ACL and use more 'deny' statements before the permit.

 

Hope that helps

 

-David

Hello David,

 

Thanks for responding, I tried to input your command but unfortunately it gives a

Invalid input detected at '^' marker.

below log.

Anything else I can try? I guess I should add I am using packet tracer if that has any value to something.

Yeah I tried in packet tracer and don't think its allowed. Most full feature devices on actual hardware or simulators will allow it though. Packet tracer is an emulator so its features are limited.

 

The rest of the command should work though.

 

and as @Flavio Miranda said if you are seeing matches it is blocking traffic defined in the ACL.

Ok some progress, thanks for your help. So without the log part, which I can still use for the day school as it uses real hardware, I can successfully ping from 10.0.0.200 to 123.123.123.123 and .100 is not able.

So now I need to figure out how to allow IP addresses 10.0.0.1 to .31 to be allowed since the question askes for the range between 10.0.0.32-10.0.0127.

 

I played around with the ip addresses on pcs and anything above 127 works as intended.

 


@David Ruess wrote:

Note this will block the IP range 10.0.0.0-10.0.0.127 from pinging (make sure you apply ACL it in correct direction- for an extended ACL I believe its closest to the source interface)

 

The way subnets work and the range you specified those IPs fall within a subnet with other IPs as well. If you want to deny only that specific range of IPs you will have to be a little more creative with your ACL and use more 'deny' statements before the permit.

 

Hope that helps




Now yes I guess I have to add more statements to my ACL,  would a permit icmp 10.0.0.0 0.0.0.31 work here? Since that wildcard covers about 32 hosts

Actually I believe it would. Statements in order would:

 

Allow the .1-.31 host

Deny the .1-.127 hosts (however it would only deny .32-.127 because any .1-.31 host was already permitted from the above statement

Permit everything else.

 

ip access-list extended 101

permit icmp 10.0.0.0 0.0.0.31 host 123.123.123.123

deny icmp 10.0.0.0 0.0.0.127 host 123.123.123.123

permit ip any any

 

That SHOULD work. I'm a little rust on my wildcard/subnet bits. Give it a try and let us know!

 

This is perfect! Thank you so much for the help! Changed the IP of PC0 to 10.0.0.30 and it was successful and PC1 to 10.0.0.120 and it said unreachable which is the point of the ACL for that range!

A bit confuse.

You see 8 matches because your Access List worked. It drops 8 ping packets. Isn´t that whatt you want?

Review Cisco Networking for a $25 gift card