cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1556
Views
0
Helpful
4
Replies

Standard ACL, source can still ping node of denied network

Good day everyone, I have attached an image as a reference. I have 192.168.1.0/24 network connected to R1's fa0/0. I also have 192.168.2.0/25 connected to R2's fa0/0. R1 and R2 is connected via serial using R1's s2/0 and R2's S2/0 ports and the network is 10.1.1.4/30. I have applied ospf and I now have neighborship among the subnets in my network and I can successfully ping the each nodes from all terminal and switch ports. Now, I want to restrict PC1 from reaching the WHOLE 192.168.1.0/24 subnet.So I made a standard acl on R1.I did,

R1(config)#access-list 3 deny 192.168.2.50 0.0.0.0

R1(config)#access-list 3 permit any

And I applied the ACL on R1's fa0/0 outbound. I did, 

R1(config)#int fa0/0

R1(config-if)ip access-group 3 out

My question is, after the configuration, why can i still successfully  ping from 192.168.2.50 to 192.168.1.1? Yes, I tried pinging 192.168.1.50 and it is unreacheable. But how about the 192.168.1.1 which i assigned to fa0/0 of R1. Is this just ok or is there a way to completely block PC1 from reaching ALL of the IP within 192.168.1.0/24 network? I will appreciate your answers guys, thankyou in advanced

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

You can still ping the router IP because the acl is only applied to traffic passing through the interface and not to the interface itself.

If you want to block access to the interface IP as well apply your acl inbound to R1's serial interface.

Jon

Jon Marshall
Hall of Fame
Hall of Fame

Just an additional point.

My previous answer assumed you wanted to apply the acl on R1.

As as rule of thumb it is best to apply the acl closest to the source ie.why send the packets from 192.168.2.50 across the link when you could apply the acl to R2 instead.

Jon

Thanks Jon but what I want is to put the acl on r1's fa0/0 port so that i can still ping 10.1.1.4/30 network. My goal is for pc1 to be denied to the whole 192.168.1.0/24 network. Is there any other workaround for this? Thanks

You mean so you can still ping the 10.1.1.x IPs from 192.168.2.50 ?

If so then you would have to use an extended acl where you can specify what that IP is allowed to ping in terms of destination IPs and apply it to either R1's serial interface or either of R2's interfaces.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: