05-24-2017 11:44 AM - edited 03-05-2019 08:35 AM
Good day everyone, I have attached an image as a reference. I have 192.168.1.0/24 network connected to R1's fa0/0. I also have 192.168.2.0/25 connected to R2's fa0/0. R1 and R2 is connected via serial using R1's s2/0 and R2's S2/0 ports and the network is 10.1.1.4/30. I have applied ospf and I now have neighborship among the subnets in my network and I can successfully ping the each nodes from all terminal and switch ports. Now, I want to restrict PC1 from reaching the WHOLE 192.168.1.0/24 subnet.So I made a standard acl on R1.I did,
R1(config)#access-list 3 deny 192.168.2.50 0.0.0.0
R1(config)#access-list 3 permit any
And I applied the ACL on R1's fa0/0 outbound. I did,
R1(config)#int fa0/0
R1(config-if)ip access-group 3 out
My question is, after the configuration, why can i still successfully ping from 192.168.2.50 to 192.168.1.1? Yes, I tried pinging 192.168.1.50 and it is unreacheable. But how about the 192.168.1.1 which i assigned to fa0/0 of R1. Is this just ok or is there a way to completely block PC1 from reaching ALL of the IP within 192.168.1.0/24 network? I will appreciate your answers guys, thankyou in advanced
05-24-2017 11:57 AM
You can still ping the router IP because the acl is only applied to traffic passing through the interface and not to the interface itself.
If you want to block access to the interface IP as well apply your acl inbound to R1's serial interface.
Jon
05-24-2017 12:06 PM
Just an additional point.
My previous answer assumed you wanted to apply the acl on R1.
As as rule of thumb it is best to apply the acl closest to the source ie.why send the packets from 192.168.2.50 across the link when you could apply the acl to R2 instead.
Jon
05-25-2017 09:57 AM
Thanks Jon but what I want is to put the acl on r1's fa0/0 port so that i can still ping 10.1.1.4/30 network. My goal is for pc1 to be denied to the whole 192.168.1.0/24 network. Is there any other workaround for this? Thanks
05-25-2017 10:05 AM
You mean so you can still ping the 10.1.1.x IPs from 192.168.2.50 ?
If so then you would have to use an extended acl where you can specify what that IP is allowed to ping in terms of destination IPs and apply it to either R1's serial interface or either of R2's interfaces.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: