ā02-27-2019 02:58 AM - edited ā02-27-2019 10:44 AM
hello i am having trouble with extended acls. i am practicing extended and standard acls but i am having a hard time.
it seems i cant get pc-3 and dmz server to ping pc-1.
The first thing i did was i wanted to protect corporate network from other networks from coming in to corporate network.
so i did
ip access-list standard list1
deny any
int s0/0/0 ip access-group in
here where i get stuck.i want to allow pc3 and dmz to able to ping pc1 but not allow pc1 to ping dmz or pc3
here what i did.
ip access-list extended list2
permit icmp any 172.18.2.0 0.0.0.255 echo-reply
permit icmp any 172.17.1.0 0.0.0.255 echo-reply
int s0/0/0 ip access-group in
and i put all of this on corporate because i am trying to protect it.
pinging works for a 1 min on both pc3 and dmz then it stops working and i get destination host unreachable. Been stuck on this for a while.
please help me understand extended acl.
Solved! Go to Solution.
ā02-27-2019 02:41 PM
@dolanduck. wrote:is there anything wrong i did on my statements
I wouldn't refer to it as 'wrong', since the acls can be implemented in a variety of ways.
If you prefer to stick with this configuration i.e. applying the acl as it is to the serial interface, I would apply it in the outbound direction
int s0/0/0 ip access-group <acl> out
In addition, the protocol would be echo, not echo reply. We want the hosts inside corp to be able to originate an icmp echo toward PC1.
ā02-27-2019 03:40 AM
Presumably you are applying the acl to the ISP router ?
If so then the acl entries would be -
permit icmp 172.18.2.0 0.0.0.255 host 172.19.2.2 echo
permit icmp 172.17.1.0 0.0.0.255 host 172.19.2.2 echo
so the source IPs are from PC3's and the server's subnet and the destination IP is PC1 and it is echo request (not reply) that will ping.
And then apply this inbound to s0/0/0 on the ISP router.
Jon
ā02-27-2019 10:40 AM
no this goes on corporate router.
ā02-27-2019 01:36 PM - edited ā02-27-2019 01:40 PM
I can confirm that the
permit icmp host 172.18.2.x host 172.19.2.10 echo
permit icmp host 172.17.1.x host 172.19.2.10 echo
meets the requirement.
172.19.2.10 in this case being the address of PC1
I would only like to add that applying the access groups, one at a time, in the inbound direction of each of the LAN interfaces of Corp router adheres to the best practices of applying extended acls closest to the source.
ā02-27-2019 02:15 PM
is there anything wrong i did on my statements
ā02-27-2019 02:41 PM
@dolanduck. wrote:is there anything wrong i did on my statements
I wouldn't refer to it as 'wrong', since the acls can be implemented in a variety of ways.
If you prefer to stick with this configuration i.e. applying the acl as it is to the serial interface, I would apply it in the outbound direction
int s0/0/0 ip access-group <acl> out
In addition, the protocol would be echo, not echo reply. We want the hosts inside corp to be able to originate an icmp echo toward PC1.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide