cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1227
Views
5
Helpful
5
Replies

extendent acl ping trouble.

dolanduck.
Level 1
Level 1

hello i am having trouble with extended acls. i am practicing extended and standard acls but i am having a hard time.

it seems i cant get pc-3 and dmz server to ping pc-1.

The first thing i did was i wanted to protect corporate network from other  networks from coming in to corporate network.

so i did

ip access-list standard list1

deny any

int s0/0/0  ip access-group in

here where i get stuck.i want to allow pc3 and dmz to able to ping pc1 but not allow pc1 to ping dmz or pc3

here what i did.

ip access-list extended list2

permit icmp any 172.18.2.0 0.0.0.255 echo-reply 

permit icmp any 172.17.1.0 0.0.0.255 echo-reply

int s0/0/0 ip access-group in

and i put all of this on corporate because i am trying to protect it.  

pinging works for a 1 min  on both pc3 and dmz then it stops working and i get destination host unreachable. Been stuck on this for a while.

please help me understand extended acl.  

isp.PNG

1 Accepted Solution

Accepted Solutions


@dolanduck.  wrote:

is there anything wrong i did on my statements


I wouldn't refer to it as 'wrong', since the acls can be implemented in a variety of ways.

 

If you prefer to stick with this configuration i.e. applying the acl as it is to the serial interface, I would apply it in the outbound direction 


int s0/0/0 ip access-group <acl> out

 

In addition, the protocol would be echo, not echo reply. We want the hosts inside corp to be able to originate an icmp echo toward PC1.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

 

Presumably you are applying the acl to the ISP router ? 

 

If so then the acl entries would be - 

 

permit icmp 172.18.2.0 0.0.0.255 host 172.19.2.2 echo
permit icmp 172.17.1.0 0.0.0.255 host 172.19.2.2 echo

 

so the source IPs are from PC3's and the server's subnet and the destination IP is PC1 and it is echo request (not reply) that will ping. 

 

And then apply this inbound to s0/0/0 on the ISP router.

 

Jon

 

no this goes on corporate router. 

I can confirm that the

permit icmp host 172.18.2.x host 172.19.2.10 echo 

permit icmp host 172.17.1.x host 172.19.2.10 echo

meets the requirement.

 

172.19.2.10 in this case being the address of PC1

 

I would only like to add that applying the access groups, one at a time, in the inbound direction of each of the LAN interfaces of Corp router adheres to the best practices of applying extended acls closest to the source.

 

 

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

is there anything wrong i did on my statements


@dolanduck.  wrote:

is there anything wrong i did on my statements


I wouldn't refer to it as 'wrong', since the acls can be implemented in a variety of ways.

 

If you prefer to stick with this configuration i.e. applying the acl as it is to the serial interface, I would apply it in the outbound direction 


int s0/0/0 ip access-group <acl> out

 

In addition, the protocol would be echo, not echo reply. We want the hosts inside corp to be able to originate an icmp echo toward PC1.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.