Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2182
Views
0
Helpful
8
Replies

Denying all traffic except on permitted routes in Packet Tracer?

dhaag2
Level 1
Level 1

‎01-24-2023 08:32 AM

Sorry for the vague title but the character limit is very restrictive. Here's the question I actually wanted to ask:

In Packet Tracer, when I am creating an extended access-list, how do I deny all traffic except on the routes that I have already explicitly permitted?

Typing "access-list 100 deny any" doesn't work, even though it does on a fresh access-list, oddly enough.

0 Helpful
8 Replies 8

khorram1998
Level 1
Level 1

‎01-24-2023 09:04 AM

 

In Packet Tracer, when creating an extended access-list, you can use the "deny any" command at the end of the list to deny all traffic that doesn't match any of the previous permit statements.

Here is an example of how to do this:

 

access-list 100 permit ip host 10.1.1.1 host 10.2.2.2
access-list 100 permit ip host 10.1.1.2 host 10.2.2.1
access-list 100 deny   any

 

This will permit traffic from IP 10.1.1.1 to IP 10.2.2.2 and from IP 10.1.1.2 to IP 10.2.2.1 and deny any other traffic that doesn't match any of the previous permit statements.

It's important to keep in mind that this is a conceptual example and the IP addresses, protocol, and ports may differ according to your scenario.

Also, make sure that you're applying this access-list to the correct interface and direction.

Also, you can use the following command to check the access-list

 

show access-list

 

and

 

show access-list 100

 

to confirm that the access-list is correct.

Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK

0 Helpful

dhaag2
Level 1
Level 1
In response to khorram1998

‎01-24-2023 09:31 AM

"access-list 100 deny any" doesn't work; the console calls it an invalid input after the "a" in "any". When I use ? it says that "ahp" is the only acceptable input. Any idea why this is or how to fix it?

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to dhaag2

‎01-24-2023 09:44 AM

Hmm, interesting.

Normally an extended ACL (numbered 100 and above) needs a source and destination parameter, e.g. "access-list 100 deny any any", but as the source "any", basically, negates the need for the destination "any", I wonder if PT is trying to be "clever" in some situations.

That aside, do keep in mind that PT is a simulator, often missing features, and often (much) more buggy than the real devices.

0 Helpful

khorram1998
Level 1
Level 1
In response to dhaag2

‎01-24-2023 09:52 AM

 

"access-list 100 deny any" is the correct syntax for a standard access-list, but in extended access-lists, the keyword "any" is not used. Instead, you can use "0.0.0.0 0.0.0.0" as the source and destination IP addresses to match any IP address.

To deny all traffic except on the routes that you have already explicitly permitted, you can use the following syntax:

 

access-list 100 deny [source IP] [source wildcard mask] [destination IP] [destination wildcard mask]
access-list 100 permit [permitted source IP] [permitted source wildcard mask] [permitted destination IP] [permitted destination wildcard mask]

 

Then you need to apply the access-list to an interface

 

interface [interface]
ip access-group 100 in

 

This will deny all traffic that does not match the permitted source and destination IP addresses specified in the access-list.

Keep in mind that the above commands are only valid for Packet Tracer, and may be different in your actual network device.

Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK


0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to khorram1998

‎01-24-2023 10:34 AM

". . . the keyword "any" is not used."

Eh?

0 Helpful

Georg Pauwen
VIP
VIP
In response to dhaag2

‎01-24-2023 10:18 AM

Hello,

I think you need the 'ip' keyword"

access-list 100 deny ip any any

If that does not work, post your zipped Packet Tracer project (.pkt) file...

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to dhaag2

‎01-24-2023 10:32 AM

Oops, my bad, correct syntax for your deny should be "access-list 100 deny ip any any".

The ahp is one of the possible parameters for the parameter after permit/deny (where I have IP in above).

0 Helpful

Martin L
VIP
VIP

‎01-27-2023 05:25 PM

Just as a side note;  PT is just a simulator of IOS, a software written to mimic behavior of real Cisco devices but not all functions and features are supported and those that are available may not behave the same way as real device. You can attach your PT file here (must be in a zip format).

Regards, ML
**Please Rate All Helpful Responses **

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card