cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1012
Views
0
Helpful
5
Replies

Cannot ping to ISP's Internet Web Server after ACL Configuration

HeroVax
Level 1
Level 1

Hello, I have issues my PCs from KL Router cannot ping to ISP's Server.

NameIP Address
ISP Router192.168.10.2
Internet Web Server182.10.0.2

 

1.png

 

 

I have configured my ACL Configuration on KL Router as shown below:

 

ip access-list extended server-farm
permit ip 15.0.4.192 0.0.0.31 host 15.0.6.2
deny ip any host 15.0.6.2
permit ip 15.0.0.0 0.0.0.255 host 15.0.6.3
permit ip 15.0.1.0 0.0.0.255 host 15.0.6.3
deny ip any host 15.0.6.3
permit ip 15.0.3.0 0.0.0.127 host 15.0.6.4
deny ip any host 15.0.6.4
permit ip 15.0.4.128 0.0.0.31 host 15.0.6.5
permit ip 15.0.4.160 0.0.0.31 host 15.0.6.5
deny ip any host 15.0.6.5


ip access-list extended internet
permit ip any 192.168.10.0 0.0.0.255

 

!

interface GigabitEthernet0/0/0.80
description Server Farm - VLAN 80
encapsulation dot1Q 80
ip address 15.0.6.1 255.255.255.248
ip access-group server-farm out

!

interface Serial0/1/0
bandwidth 256
ip address 15.0.6.9 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip access-group internet out
clock rate 2000000
!

 

My plan was, all PCs VLANs can access to the Internet.

I can ping from PC host to 192.168.10.2 (ISP Router), but it won't ping to the web server.

I could however, specify the command: permit ip any 182.10.0.0 0.0.255.255

But, I don't want to do this because, Internet will always have different IPs in the future. I'm thinking, if PC can access to the Internet (ISP), then it should automatically can ping to other web servers, should I created a new one later.

 

I have attached the pkt file for your reference. Thanks.

1 Accepted Solution

Accepted Solutions

 

Not really sure what you are trying to do here. 

 

For internet access you would need "permit ip any any" because you do not know beforehand the IP addresses you want to connect to and that line would cover everything so you wouldn't actually need an acl unless you wanted to deny certain traffic before the permit line. 

 

However assuming you want to use the acl you have then you need it to be in this format - 

 

permit ip any <Penang subnet> <wildcard mask>
permit ip any 192.168.10.0 0.0.0.255
permit ip any 182.10.0.0 0.0.0.255

 

but as you say if you create another web server on a different subnet you would then need to permit that as well. 

 

Also not sure why you need to allow any to 192.168.10.0/24 as that is a transit network and clients generally wouldn't need to ping those IPs unless of course it is for troubleshooting. 

 

Jon

View solution in original post

5 Replies 5

pman
Spotlight
Spotlight

‎‏

The packet tracer file is not compatible with mine.

You need to permit any to WEB Server (which is 182.10.0.2) , your acl on KL router only permit to ISP router ip addr. if you want to do this, you need map WEB server ip addr to ISP router ip addr. Otherwise, it will be droped by KP router output side...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Hello @Rps-Cheers ,

Yes, I know. I need to use command: permit ip any 182.10.0.0 0.0.255.255 on Router KL if I want to ping to web server.

But it will show another problem if I do this. The PCs won't able to know other IP Addresses. Only the web server and ISP.

 

For example, currently, I already configured:

ip access-list extended internet
permit ip any 192.168.10.0 0.0.0.255

permit ip any 182.10.0.0 0.0.255.255

 

interface Serial0/1/0
ip access-group internet out

Then, PCs from Router KL can't ping to Penang Router's PCs anymore because they only know ISP and Web Server. Do I really need to permit one by one from Penang Router's PCs?

 

Not really sure what you are trying to do here. 

 

For internet access you would need "permit ip any any" because you do not know beforehand the IP addresses you want to connect to and that line would cover everything so you wouldn't actually need an acl unless you wanted to deny certain traffic before the permit line. 

 

However assuming you want to use the acl you have then you need it to be in this format - 

 

permit ip any <Penang subnet> <wildcard mask>
permit ip any 192.168.10.0 0.0.0.255
permit ip any 182.10.0.0 0.0.0.255

 

but as you say if you create another web server on a different subnet you would then need to permit that as well. 

 

Also not sure why you need to allow any to 192.168.10.0/24 as that is a transit network and clients generally wouldn't need to ping those IPs unless of course it is for troubleshooting. 

 

Jon

Hello @Jon Marshall ,

the requirements says, allow access to the Internet. So, I thought all networks outside of KL Router, must be able to connect. 

I was doing this assignment late at night, and didn't even notice, command: "permit ip any any" is literally what I was looking for.

Review Cisco Networking for a $25 gift card