Re: Unable to get ACL matches

dadamsjrsnoopy · ‎06-17-2019

I am preparing for the ICND1 exam and working with ACL's using three actual Cisco 1841 routers, 3 Cisco switches, and two laptops and one server.

I made sure both laptops on separate routers and networks could both access a website on the server on the third router and separate network. I then created an ACL on the INPUT to the router interface for the server. This ACL allows one laptop to be permitted by IP address. This does appear to block the other laptop.

'

I am following the "Cisco Official Cert Guide for the CCENT/CCNA ICND1 100-105" exam pages 596 - 607 but am not seeing at all the results the books says I should see.

R1#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 15.1(4)M7, RELEASE SOFTWARE (fc2)

R1#show access-lists
Standard IP access list 20
10 permit 10.1.1.5 log

R1#show ip int s0/0/0
Serial0/0/0 is up, line protocol is up
Internet address is 189.24.132.50/30
Outgoing access list is not set
Inbound access list is 20

I have attached a document using Cisco Academy's packet tracer to show how my actual hardware network is set up.

Thank you for your help.

David Adams, Mobile, AL

Georg Pauwen · ‎06-17-2019

Hello,

looking at your document, the IP address allowed in the access list is 10.1.1.5, which is the IP address of the server ?

What do you want to accomplish, allow one laptop to access the server, and deny the other access to the server ?

If this is a Packet Tracer project, post the (zipped) project (.pkt) file...

dadamsjrsnoopy · ‎06-17-2019

Ok, I went back and started over - it now appears to be working.

R1#configure t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#access-list 1 permit 10.2.2.5

R1(config)#int s0/0/0

R1(config-if)#ip access-group 1 in

R1(config-if)#end

R1#

*Jun 17 22:00:53.931: %SYS-5-CONFIG_I: Configured from console by console

R1#wr

Building configuration...

[OK]

R1#config t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#no access-list 1 permit 10.2.2.5

R1(config)#int s0/0/0

R1(config-if)#no ip access-group 1 in

R1(config-if)#end

R1#w

*Jun 17 22:02:53.887: %SYS-5-CONFIG_I: Configured from console by console

R1#wr

Building configuration...

[OK]

R1#config t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#access-list 12 permit 10.2.2.5 log

R1(config)#int s0/0/0

R1(config-if)#ip access-group 12 in

R1(config-if)#end

R1#w

*Jun 17 22:04:04.311: %SYS-5-CONFIG_I: Configured from console by console

R1#wr

Building configuration...

[OK]

R1#

*Jun 17 22:04:24.451: %SEC-6-IPACCESSLOGNP: list 12 permitted 0 10.2.2.5 -> 10.1.1.5, 1 packet

R1#

Georg Pauwen · ‎06-17-2019

Hello,

that looks a lot better. You needed the IP address of the laptop and not the server in the access list...