12-07-2021 07:38 AM - edited 12-07-2021 07:39 AM
Hi,
Sorry to bother you all, but I'm having some issues with a network I'm building in Cisco Packet Tracer.
In my network, I need to be able to deny ping access from one direction, but not the other. (So for instance, in my network, I need for the group of systems with IP address 192.168.102.0 to be blocked from accessing the group of systems with IP address 192.168.101.0, but not vice versa; 192.168.101.0 must still be able to ping 192.168.102.0, but 192.168.102.0 must not be able to ping 192.168.101.0).
I initially tried doing this using access lists on the Master Router, but that did not work at all; packets were still able to ping in both directions even when I added the access list to a particular interface.
I then tried the IPv4 Firewall tab on the Desktop of each system within the group, and while that was very good at stopping access in one direction, it also completely stopped pinging in the other direction too, even if I allowed ping access from the sender IP address group on the receiving system.
Does anyone know what my issue might be? And what should I do in order to rectify it (should I use access lists or IPv4 Firewall?)? Any help would be much appreciated; I've integrated my Cisco Packet Tracer file within a zip folder to give you some idea of what I'm working with here.
Solved! Go to Solution.
12-07-2021 08:48 AM
It should be fairly straightforward to prevent ping from 192.168.102.0 to 192.168.101.0. Configure an extended access list and apply the access list inbound on the router/switch interface where 192.168.102.0 is connected. In the access list the first statement should deny icmp echo-request where source is 109.168.102.0 and destination is 192.168.101.0. The second statement in the access list should permit ip traffic where source is 192.168.102.0 and destination is any.
This would prevent ping request from 192.168.102.0 to 192.168.101.0 and would not impact ping request from 192.168.101.0 to 192.168.102.0 and not impact ping response from 192.168.102.0 to 192.168.101.0.
12-07-2021 08:52 AM
have you tried Extended ACL ? Extended acl let you choose direction (source/destination) as well as protocol type (icmp, tcp, udep, etc); Also, placement and direction is important. Standard acl should be placed near destination while Ext. acl near source. Use ? with commands to see all options.
this one is tricky so i will attach my solution ( of course this may have 2 solutions or more)
Regards, ML
**Please Rate All Helpful Responses **
12-07-2021 09:27 AM
BTW, what @Richard Burts suggests is a belt and suspenders approach (and is fully correct). Just wanted to note that if you block ping requests in one direction, there should be no ping replies in the other.
Also, you might just block ping replies in one direction. The latter might be used if you didn't have access to the "other side" to block ping requests.
12-08-2021 12:00 AM - last edited on 12-10-2021 09:40 AM by Translator
Hello
@Matt N wrote:
192.168.101.0 must still be able to ping 192.168.102.0, but 192.168.102.0 must not be able to ping 192.168.101.0)..
Try the following:
ip access-list extended ICMP
deny icmp 192.168.102.0 0.0.0.255 any echo
permit ip any any
int x/x
description routed interface for 192.168.101.x
ip access-group ICMP in
12-07-2021 08:48 AM
It should be fairly straightforward to prevent ping from 192.168.102.0 to 192.168.101.0. Configure an extended access list and apply the access list inbound on the router/switch interface where 192.168.102.0 is connected. In the access list the first statement should deny icmp echo-request where source is 109.168.102.0 and destination is 192.168.101.0. The second statement in the access list should permit ip traffic where source is 192.168.102.0 and destination is any.
This would prevent ping request from 192.168.102.0 to 192.168.101.0 and would not impact ping request from 192.168.101.0 to 192.168.102.0 and not impact ping response from 192.168.102.0 to 192.168.101.0.
12-07-2021 09:27 AM
BTW, what @Richard Burts suggests is a belt and suspenders approach (and is fully correct). Just wanted to note that if you block ping requests in one direction, there should be no ping replies in the other.
Also, you might just block ping replies in one direction. The latter might be used if you didn't have access to the "other side" to block ping requests.
12-07-2021 08:52 AM
have you tried Extended ACL ? Extended acl let you choose direction (source/destination) as well as protocol type (icmp, tcp, udep, etc); Also, placement and direction is important. Standard acl should be placed near destination while Ext. acl near source. Use ? with commands to see all options.
this one is tricky so i will attach my solution ( of course this may have 2 solutions or more)
Regards, ML
**Please Rate All Helpful Responses **
12-08-2021 12:00 AM - last edited on 12-10-2021 09:40 AM by Translator
Hello
@Matt N wrote:
192.168.101.0 must still be able to ping 192.168.102.0, but 192.168.102.0 must not be able to ping 192.168.101.0)..
Try the following:
ip access-list extended ICMP
deny icmp 192.168.102.0 0.0.0.255 any echo
permit ip any any
int x/x
description routed interface for 192.168.101.x
ip access-group ICMP in
12-08-2021 07:16 AM
Thank you all so much; these responses have really helped!
12-09-2021 07:23 AM
You are welcome. I am glad that our explanations have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide