Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
736
Views
10
Helpful
5
Replies

need help with extended ACLs

Go to solution
dolanduck.
Level 1
Level 1

‎03-17-2019 12:47 AM

hello i need help with extended acls. here is the thing i want to make pc a and b be able to ping outside and receive replies. but at the the same time i want to deny icmp traffic from coming into R1 and R2. what about implicit deny will that affect other ip stuff ?

here is the access list i made.

i want to put them on both R1 and R2 on g0/1 in

access-list 101 permit icmp 38.159.118.104 0.0.0.3 any echo-reply
access-list 101 permit icmp 38.159.118.108 0.0.0.3 any echo-reply
access-list 101 deny icmp any any

 

topology.PNG

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to dolanduck.

‎03-17-2019 02:05 AM - edited ‎03-17-2019 02:07 AM

Hi,

why do i need access-list 100 permit ip any any
is it because of the implicit acl ?

Yes, By default, An ACL is having Deny IP any any command which is hidden. So you have to permit IP any any otherwise all other traffic will be blocked by the Hidden line of ACL( that's called implicit ACL) 

 

and is it possible to  get a ACL alert every-time a ACL is met.

Yes, But in certain cases, It is possible as you will get details in Logs/Syslog/trap etc. You can add "LOG" keyboard at the end of ACL line as below:


5 access-list 100 permit icmp any any echo-reply log
10 access-list 100 deny icmp any any log
50 access-list 100 permit ip any any

 

Note: Don't try to add "log" keyboard on  "access-list 100 permit ip any any" because there will hit more traffic so CPU, Memory resources will go high and you will face many issues. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

5 Replies 5

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎03-17-2019 01:18 AM

Hi,

 

Your Acl Configuration can be like:

IP access-list extended 100

5 access-list 100 permit icmp any any echo-reply
10 access-list 100 deny icmp any any
50 access-list 100 permit ip any any

 

And apply the same ACL on WAN interface in Inside direction:

interface Gig1/0
ip access-group 100 in

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
dolanduck.
Level 1
Level 1
In response to Deepak Kumar

‎03-17-2019 01:31 AM - edited ‎03-17-2019 01:34 AM

why do i need access-list 100 permit ip any any

is it because of the implicit acl ?

and is it possible to  get a ACL alert every-time a ACL is met.

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to dolanduck.

‎03-17-2019 02:05 AM - edited ‎03-17-2019 02:07 AM

Hi,

why do i need access-list 100 permit ip any any
is it because of the implicit acl ?

Yes, By default, An ACL is having Deny IP any any command which is hidden. So you have to permit IP any any otherwise all other traffic will be blocked by the Hidden line of ACL( that's called implicit ACL) 

 

and is it possible to  get a ACL alert every-time a ACL is met.

Yes, But in certain cases, It is possible as you will get details in Logs/Syslog/trap etc. You can add "LOG" keyboard at the end of ACL line as below:


5 access-list 100 permit icmp any any echo-reply log
10 access-list 100 deny icmp any any log
50 access-list 100 permit ip any any

 

Note: Don't try to add "log" keyboard on  "access-list 100 permit ip any any" because there will hit more traffic so CPU, Memory resources will go high and you will face many issues. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
dolanduck.
Level 1
Level 1
In response to Deepak Kumar

‎03-17-2019 07:48 AM

hey i need your help again i cant ping router 2 or 1 ports. for some reason deny icmp any any keeps me from pinging.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎03-17-2019 01:52 AM

Hello,

 

if you just want the hosts to send and receice ICMP, deny all other ICMP traffic, but still want to allow all other traffic, the access list should look like this:

 

access-list 101 permit icmp 38.159.118.104 0.0.0.3 any echo
access-list 101 permit icmp 38.159.118.104 0.0.0.3 any echo-reply
access-list 101 permit icmp 38.159.118.108 0.0.0.3 any echo
access-list 101 permit icmp 38.159.118.108 0.0.0.3 any echo-reply
access-list 101 deny icmp any any
access-list 101 permit ip any any

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card