Solved: Ospf and ACL

Aniketdey9804@gmail.com · ‎10-12-2020

I configured ospf and i want to deny access web server only from PC2(192.168.3.2) and allow all other PCs...and ACL assigned to Router0's s0/0/0 inbound...but when i assign on serial interface, neighbour 192.168.4.1(i think Router2) was down,see in the CLI attachment.Then i permit 192.168.2.0....and fortunately that neighbour comes up.

So my question is that,

1)is there any necessary to permit the serial link's network(192.168.2.0 and 192.168.4.0) to successfully complete my task? If your ans is yes,you must permit those 2.0 and 3.0 network,then why after only permit192.168.2.0 the neighbour comes up?

2)In the CLI attachment, neighbour 192.168.4.1 means which router,router1 or router2?

See the attachments

for better understanding my question

Thank you

paul driver · ‎10-12-2020

Hello
The reason why your losing ospf adjacency is your denying ospf packets in the access-list, So if you need to append an acl on a routed interface that is assigned to a routing process you need to allow access for that routing process packets.

It’s better to deny traffic as close to the source as possible thus negating unwarranted traffic traversing you network, In this case you could apply a PACL on the switch 1 fa0/3 interface to negate tcp 80 traffic to the web server.

Router 1
no ip access-list extended ram

switch 1
int fa0/3
ip access-list extended ram
deny tcp host 192.168.3.2 host 192.168.1.4 eq www
permit ip any any
ip access-group ram in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

MHM Cisco World · ‎10-12-2020

I think just only change the wildcard to be 255.255.255.255 of your host,
0.0.0.0 meaning all network.

Aniketdey9804@gmail.com · ‎10-12-2020

Sir,as far as i know in the wildcard mask o.o.o.o means only this ip address and 255.255.255.255 means all network.

paul driver · ‎10-12-2020

Hello
The reason why your losing ospf adjacency is your denying ospf packets in the access-list, So if you need to append an acl on a routed interface that is assigned to a routing process you need to allow access for that routing process packets.

It’s better to deny traffic as close to the source as possible thus negating unwarranted traffic traversing you network, In this case you could apply a PACL on the switch 1 fa0/3 interface to negate tcp 80 traffic to the web server.

Router 1
no ip access-list extended ram

switch 1
int fa0/3
ip access-list extended ram
deny tcp host 192.168.3.2 host 192.168.1.4 eq www
permit ip any any
ip access-group ram in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Aniketdey9804@gmail.com · ‎10-12-2020

Thank you @paul driver....it's works

But what is the best configuration for deny 192.168.3.2 to access web server (192.168.1.4) and permit 192.168.3.0,192.168.5.0 network's PC on Router0's s0/0/0 inbounds(sir don't add permit ip any any in the acl)?

Ans my 2 questions in the previous post... please

MHM Cisco World · ‎10-12-2020

Ip/host is same ip/0.0.0.0 (sort for my previous reply)

issue here after I recheck it

the hello ospf message is deny by deny any any at end of ACL,

so permit 2.0 for ospf adjuancy.

Aniketdey9804@gmail.com · ‎10-12-2020

So,you said that i need to permit 2.0(not 3.0) for ospf adjacency!

But when i configured RIPv1/v2 instead of ospf..this problem not occurs.

And can tell me that neighbour 192.168.4.1 means which router?

Thank you