06-18-2022 10:11 PM - edited 06-18-2022 10:15 PM
Hello, I have issues my PCs from KL Router cannot ping to ISP's Server.
Name | IP Address |
ISP Router | 192.168.10.2 |
Internet Web Server | 182.10.0.2 |
I have configured my ACL Configuration on KL Router as shown below:
ip access-list extended server-farm
permit ip 15.0.4.192 0.0.0.31 host 15.0.6.2
deny ip any host 15.0.6.2
permit ip 15.0.0.0 0.0.0.255 host 15.0.6.3
permit ip 15.0.1.0 0.0.0.255 host 15.0.6.3
deny ip any host 15.0.6.3
permit ip 15.0.3.0 0.0.0.127 host 15.0.6.4
deny ip any host 15.0.6.4
permit ip 15.0.4.128 0.0.0.31 host 15.0.6.5
permit ip 15.0.4.160 0.0.0.31 host 15.0.6.5
deny ip any host 15.0.6.5
ip access-list extended internet
permit ip any 192.168.10.0 0.0.0.255
!
interface GigabitEthernet0/0/0.80
description Server Farm - VLAN 80
encapsulation dot1Q 80
ip address 15.0.6.1 255.255.255.248
ip access-group server-farm out
!
interface Serial0/1/0
bandwidth 256
ip address 15.0.6.9 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip access-group internet out
clock rate 2000000
!
My plan was, all PCs VLANs can access to the Internet.
I can ping from PC host to 192.168.10.2 (ISP Router), but it won't ping to the web server.
I could however, specify the command: permit ip any 182.10.0.0 0.0.255.255
But, I don't want to do this because, Internet will always have different IPs in the future. I'm thinking, if PC can access to the Internet (ISP), then it should automatically can ping to other web servers, should I created a new one later.
I have attached the pkt file for your reference. Thanks.
Solved! Go to Solution.
06-19-2022 03:02 AM
Not really sure what you are trying to do here.
For internet access you would need "permit ip any any" because you do not know beforehand the IP addresses you want to connect to and that line would cover everything so you wouldn't actually need an acl unless you wanted to deny certain traffic before the permit line.
However assuming you want to use the acl you have then you need it to be in this format -
permit ip any <Penang subnet> <wildcard mask>
permit ip any 192.168.10.0 0.0.0.255
permit ip any 182.10.0.0 0.0.0.255
but as you say if you create another web server on a different subnet you would then need to permit that as well.
Also not sure why you need to allow any to 192.168.10.0/24 as that is a transit network and clients generally wouldn't need to ping those IPs unless of course it is for troubleshooting.
Jon
06-18-2022 11:51 PM - edited 06-19-2022 12:15 AM
06-18-2022 11:57 PM
The packet tracer file is not compatible with mine.
You need to permit any to WEB Server (which is 182.10.0.2) , your acl on KL router only permit to ISP router ip addr. if you want to do this, you need map WEB server ip addr to ISP router ip addr. Otherwise, it will be droped by KP router output side...
06-19-2022 12:38 AM - edited 06-19-2022 12:39 AM
Hello @Rps-Cheers ,
Yes, I know. I need to use command: permit ip any 182.10.0.0 0.0.255.255 on Router KL if I want to ping to web server.
But it will show another problem if I do this. The PCs won't able to know other IP Addresses. Only the web server and ISP.
For example, currently, I already configured:
ip access-list extended internet
permit ip any 192.168.10.0 0.0.0.255
permit ip any 182.10.0.0 0.0.255.255
interface Serial0/1/0
ip access-group internet out
Then, PCs from Router KL can't ping to Penang Router's PCs anymore because they only know ISP and Web Server. Do I really need to permit one by one from Penang Router's PCs?
06-19-2022 03:02 AM
Not really sure what you are trying to do here.
For internet access you would need "permit ip any any" because you do not know beforehand the IP addresses you want to connect to and that line would cover everything so you wouldn't actually need an acl unless you wanted to deny certain traffic before the permit line.
However assuming you want to use the acl you have then you need it to be in this format -
permit ip any <Penang subnet> <wildcard mask>
permit ip any 192.168.10.0 0.0.0.255
permit ip any 182.10.0.0 0.0.0.255
but as you say if you create another web server on a different subnet you would then need to permit that as well.
Also not sure why you need to allow any to 192.168.10.0/24 as that is a transit network and clients generally wouldn't need to ping those IPs unless of course it is for troubleshooting.
Jon
06-19-2022 05:07 PM
Hello @Jon Marshall ,
the requirements says, allow access to the Internet. So, I thought all networks outside of KL Router, must be able to connect.
I was doing this assignment late at night, and didn't even notice, command: "permit ip any any" is literally what I was looking for.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide