Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1227
Views
5
Helpful
5
Replies

extendent acl ping trouble.

Go to solution
dolanduck.
Level 1
Level 1

ā€Ž02-27-2019 02:58 AM - edited ā€Ž02-27-2019 10:44 AM

hello i am having trouble with extended acls. i am practicing extended and standard acls but i am having a hard time.

it seems i cant get pc-3 and dmz server to ping pc-1.

The first thing i did was i wanted to protect corporate network from other  networks from coming in to corporate network.

so i did

ip access-list standard list1

deny any

int s0/0/0  ip access-group in

here where i get stuck.i want to allow pc3 and dmz to able to ping pc1 but not allow pc1 to ping dmz or pc3

here what i did.

ip access-list extended list2

permit icmp any 172.18.2.0 0.0.0.255 echo-reply 

permit icmp any 172.17.1.0 0.0.0.255 echo-reply

int s0/0/0 ip access-group in

and i put all of this on corporate because i am trying to protect it.  

pinging works for a 1 min  on both pc3 and dmz then it stops working and i get destination host unreachable. Been stuck on this for a while.

please help me understand extended acl.  

isp.PNG

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Alan Ng'ethe
Level 3
Level 3
In response to dolanduck.

ā€Ž02-27-2019 02:41 PM

@dolanduck.  wrote:

is there anything wrong i did on my statements

I wouldn't refer to it as 'wrong', since the acls can be implemented in a variety of ways.

 

If you prefer to stick with this configuration i.e. applying the acl as it is to the serial interface, I would apply it in the outbound direction 


int s0/0/0 ip access-group <acl> out

 

In addition, the protocol would be echo, not echo reply. We want the hosts inside corp to be able to originate an icmp echo toward PC1.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

View solution in original post

5 Replies 5

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

ā€Ž02-27-2019 03:40 AM

 

Presumably you are applying the acl to the ISP router ? 

 

If so then the acl entries would be - 

 

permit icmp 172.18.2.0 0.0.0.255 host 172.19.2.2 echo
permit icmp 172.17.1.0 0.0.0.255 host 172.19.2.2 echo

 

so the source IPs are from PC3's and the server's subnet and the destination IP is PC1 and it is echo request (not reply) that will ping. 

 

And then apply this inbound to s0/0/0 on the ISP router.

 

Jon

 

0 Helpful

Go to solution
dolanduck.
Level 1
Level 1
In response to Jon Marshall

ā€Ž02-27-2019 10:40 AM

no this goes on corporate router. 

0 Helpful

Go to solution
Alan Ng'ethe
Level 3
Level 3
In response to dolanduck.

ā€Ž02-27-2019 01:36 PM - edited ā€Ž02-27-2019 01:40 PM

I can confirm that the

permit icmp host 172.18.2.x host 172.19.2.10 echo 

permit icmp host 172.17.1.x host 172.19.2.10 echo

meets the requirement.

 

172.19.2.10 in this case being the address of PC1

 

I would only like to add that applying the access groups, one at a time, in the inbound direction of each of the LAN interfaces of Corp router adheres to the best practices of applying extended acls closest to the source.

 

 

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.
0 Helpful

Go to solution
dolanduck.
Level 1
Level 1
In response to Alan Ng'ethe

ā€Ž02-27-2019 02:15 PM

is there anything wrong i did on my statements

0 Helpful

Go to solution
Alan Ng'ethe
Level 3
Level 3
In response to dolanduck.

ā€Ž02-27-2019 02:41 PM

@dolanduck.  wrote:

is there anything wrong i did on my statements

I wouldn't refer to it as 'wrong', since the acls can be implemented in a variety of ways.

 

If you prefer to stick with this configuration i.e. applying the acl as it is to the serial interface, I would apply it in the outbound direction 


int s0/0/0 ip access-group <acl> out

 

In addition, the protocol would be echo, not echo reply. We want the hosts inside corp to be able to originate an icmp echo toward PC1.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.
Customers Also Viewed These Support Documents