08-22-2019 01:06 AM
how can i configure the network so that left hand side network can access to web server and able to ping the right hand side network, and network right hand side network only can access to the web server but not able to ping left hand side network
Solved! Go to Solution.
08-22-2019 01:21 AM
Hello kswang0426,
>> how can i configure the network so that left hand side network can access to web server and able to ping the right hand side network, and network right hand side network only can access to the web server but not able to ping left hand side network.
Given your requirement and the network diagram you can understand that you are required to configure an IP extended ACL to limit what the right part of the network can do.
You cannot satisfy to the above requirements only using routing either static routes or dynamic routing.
The reason is that to make the left portion able to reach the web site and the right portion with ICMP you need to deploy static routes to ensure traffic can be routed from left to right (ICMP echo) and from right to left ( ICMP echo reply).
However, routing does not care about what is above OSI layer 3 so it cannot discriminate between an ICMP echo (request) and ICMP echo reply.
For this reason you need an appropriate extended ACL for example on router C1841 R0 that allows one type of messages and denies the other one.
access-list 111 remark block right to left ICMP echo
access-list 111 deny icmp any any echo
access-list 111 permit icmp any any echo-reply
access-lis 111 permit tcp any host web-server 80
to be applied inbound on the right side LAN interface of C1841 R0.
Hope to help
Giuseppe
08-22-2019 01:21 AM
Hello kswang0426,
>> how can i configure the network so that left hand side network can access to web server and able to ping the right hand side network, and network right hand side network only can access to the web server but not able to ping left hand side network.
Given your requirement and the network diagram you can understand that you are required to configure an IP extended ACL to limit what the right part of the network can do.
You cannot satisfy to the above requirements only using routing either static routes or dynamic routing.
The reason is that to make the left portion able to reach the web site and the right portion with ICMP you need to deploy static routes to ensure traffic can be routed from left to right (ICMP echo) and from right to left ( ICMP echo reply).
However, routing does not care about what is above OSI layer 3 so it cannot discriminate between an ICMP echo (request) and ICMP echo reply.
For this reason you need an appropriate extended ACL for example on router C1841 R0 that allows one type of messages and denies the other one.
access-list 111 remark block right to left ICMP echo
access-list 111 deny icmp any any echo
access-list 111 permit icmp any any echo-reply
access-lis 111 permit tcp any host web-server 80
to be applied inbound on the right side LAN interface of C1841 R0.
Hope to help
Giuseppe
08-22-2019 01:40 AM
thank you so much for the solution
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide