Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
437
Views
0
Helpful
2
Replies

static routing

Go to solution
kswong0426
Level 1
Level 1

‎08-22-2019 01:06 AM

how can i configure the network so that left hand side network can access to web server and able to ping the right hand side network, and network right hand side network only can access to the web server but not able to ping left hand side network

Labels:
Preview file
180 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-22-2019 01:21 AM

Hello kswang0426,

 

>> how can i configure the network so that left hand side network can access to web server and able to ping the right hand side network, and network right hand side network only can access to the web server but not able to ping left hand side network.

 

Given your requirement and the network diagram you can understand that you are required to configure an IP extended ACL to limit what the right part of the network can do.

You cannot satisfy to the above requirements only using routing either static routes or dynamic routing.

The reason is that to make the left portion able to reach the web site and the right portion with ICMP you need to deploy static routes to ensure traffic can be routed from left to right (ICMP echo)  and from right to left ( ICMP echo reply).

However, routing does not care about what is above OSI layer 3 so it cannot discriminate between an ICMP echo (request) and ICMP echo reply.

For this reason you need an appropriate extended ACL for example on router C1841 R0 that allows one type of messages and denies the other one.

 

access-list 111 remark block right to left ICMP echo

access-list 111 deny icmp any any echo

access-list 111 permit icmp any any echo-reply

access-lis   111 permit tcp any host web-server 80

 

to be applied inbound on the right side LAN interface of C1841 R0.

 

Hope to help

Giuseppe

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-22-2019 01:21 AM

Hello kswang0426,

 

>> how can i configure the network so that left hand side network can access to web server and able to ping the right hand side network, and network right hand side network only can access to the web server but not able to ping left hand side network.

 

Given your requirement and the network diagram you can understand that you are required to configure an IP extended ACL to limit what the right part of the network can do.

You cannot satisfy to the above requirements only using routing either static routes or dynamic routing.

The reason is that to make the left portion able to reach the web site and the right portion with ICMP you need to deploy static routes to ensure traffic can be routed from left to right (ICMP echo)  and from right to left ( ICMP echo reply).

However, routing does not care about what is above OSI layer 3 so it cannot discriminate between an ICMP echo (request) and ICMP echo reply.

For this reason you need an appropriate extended ACL for example on router C1841 R0 that allows one type of messages and denies the other one.

 

access-list 111 remark block right to left ICMP echo

access-list 111 deny icmp any any echo

access-list 111 permit icmp any any echo-reply

access-lis   111 permit tcp any host web-server 80

 

to be applied inbound on the right side LAN interface of C1841 R0.

 

Hope to help

Giuseppe

 

0 Helpful

Go to solution
kswong0426
Level 1
Level 1
In response to Giuseppe Larosa

‎08-22-2019 01:40 AM

thank you so much for the solution

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card