cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
183
Views
0
Helpful
2
Replies
Beginner

static routing

how can i configure the network so that left hand side network can access to web server and able to ping the right hand side network, and network right hand side network only can access to the web server but not able to ping left hand side network

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Expert

Re: static routing

Hello kswang0426,

 

>> how can i configure the network so that left hand side network can access to web server and able to ping the right hand side network, and network right hand side network only can access to the web server but not able to ping left hand side network.

 

Given your requirement and the network diagram you can understand that you are required to configure an IP extended ACL to limit what the right part of the network can do.

You cannot satisfy to the above requirements only using routing either static routes or dynamic routing.

The reason is that to make the left portion able to reach the web site and the right portion with ICMP you need to deploy static routes to ensure traffic can be routed from left to right (ICMP echo)  and from right to left ( ICMP echo reply).

However, routing does not care about what is above OSI layer 3 so it cannot discriminate between an ICMP echo (request) and ICMP echo reply.

For this reason you need an appropriate extended ACL for example on router C1841 R0 that allows one type of messages and denies the other one.

 

access-list 111 remark block right to left ICMP echo

access-list 111 deny icmp any any echo

access-list 111 permit icmp any any echo-reply

access-lis   111 permit tcp any host web-server 80

 

to be applied inbound on the right side LAN interface of C1841 R0.

 

Hope to help

Giuseppe

 

2 REPLIES 2
Hall of Fame Expert

Re: static routing

Hello kswang0426,

 

>> how can i configure the network so that left hand side network can access to web server and able to ping the right hand side network, and network right hand side network only can access to the web server but not able to ping left hand side network.

 

Given your requirement and the network diagram you can understand that you are required to configure an IP extended ACL to limit what the right part of the network can do.

You cannot satisfy to the above requirements only using routing either static routes or dynamic routing.

The reason is that to make the left portion able to reach the web site and the right portion with ICMP you need to deploy static routes to ensure traffic can be routed from left to right (ICMP echo)  and from right to left ( ICMP echo reply).

However, routing does not care about what is above OSI layer 3 so it cannot discriminate between an ICMP echo (request) and ICMP echo reply.

For this reason you need an appropriate extended ACL for example on router C1841 R0 that allows one type of messages and denies the other one.

 

access-list 111 remark block right to left ICMP echo

access-list 111 deny icmp any any echo

access-list 111 permit icmp any any echo-reply

access-lis   111 permit tcp any host web-server 80

 

to be applied inbound on the right side LAN interface of C1841 R0.

 

Hope to help

Giuseppe

 

Beginner

Re: static routing

thank you so much for the solution

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards