I changed it to inbound and the LAN in question still didn't get blocked, I can ping the LAN and telnet to 192.168.100.97 still.

Andy,

It will not work in either outbound or inbound. Because the traffic going to the loopback ip address will not be forwarded out of the interface. So Outbound or Inbound ACL will not work in this case.

In case you want to see log from that acl. You can do things as follows:

Router0

!

int loop 0

ip ospf net point-to-point

ip access-group inbound out

no ip route-cache

!

R1#ping 192.168.100.98

!

Those packets will be forwarded out of the loopback interface. You should see the logs.

But you can ping/telnet to 192.168.100.97 anyway.

HTH,

Toshi

Hello, so basically if I use the fastethernet interface instead this will work? I just need a device to bring up the interface.

Andy,

You are trying to access Router0 via Router1. Thinking about the direction of traffic. Traffic going out from Router1 to Router0. So Serial0/0 of Router0 is the first place that traffic are coming in. You can apply ACL there with inbound direction.

HTH,

Toshi

Thanks, do you find extended are more widely used in the industry?

Yes they are

But the whole thing come to the different network and it's need.

Have you tried the solution in your test environment

H2H

Bhargav

I will try this as soon as I get to work.

It makes sense to me to use extended as it stops unnecessary traffic using bandwidth before getting denied.

Although standard could be used for a simple ACL on the destination?

Yes standard ACL should be more appropriate to apply near the Destination.

As standard ACL deal with Source address only it is better to apply on destination because if you apply St. ACL near the source it will block all the traffic which you don't want.

H2H

Bhargav

Hi,

I have just created the setup below with one Extended access list close to the source and outbound in the direction of the remote network:

C1841#sh run

!

ip dhcp pool scope

network 10.20.20.0 255.255.255.0

dns-server 192.168.21.100

default-router 10.20.20.1

lease 0 2

!

!

ip domain name gb.vo.local

!

interface FastEthernet0/0

description WAN Port

ip address 192.168.60.245 255.255.255.0

ip access-group MYACL1 out

duplex auto

speed auto

!

interface FastEthernet0/1

description LAN Port

ip address 10.20.20.1 255.255.255.0

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.60.254

!

!

ip access-list extended MYACL1

permit ip 10.20.20.0 0.0.0.255 192.168.28.0 0.0.0.255 log

permit ip 10.20.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log

permit ip 10.20.20.0 0.0.0.255 192.168.20.0 0.0.0.255 log

deny ip any any log

!

What I'm find is a host IP of 10.20.20.2 can access resources on 192.168.20.x, 192.168.21.x and 192.168.28.x, but these 3 subnets can also access 10.20.20.2.

My (simple) understanding of the ACL I have added is this should be one direction only: from 10.20.20.x towards (outbound) the 3 subnets only, what is allowing these 3 subnets full access to host 10.20.20.2 as I haven't specified this (Or have I)?

Is my outbound rule both directions?

Andy,

10.20.20.X will do ARP to access 10.20.20.2. No matter what direction of ACL you apllied.

EDIT: They will not go the gateway,10.20.20.1 to reach 10.20.20.2. They just do ARP for that

HTH,

Toshi

Hello,

Not sure I understand. I allowed 10.20.20.x access outbound to the remote subnets. Coming backwards from the 3 subnets I don't see an access list to allow say for example 192.168.21.x to access \\10.20.20.2\c$

Andy,

Assuming that I am 192.168.21.x. I'm trying to access \\10.20.20.2\c$. Properly be file-sharing. let's think when packet routed back to the host.

Source-Address : 10.20.20.2

Destination-Address : 192.168.21.X

Am I allowed to pass these ACLs?

ip access-list extended MYACL1

permit ip 10.20.20.0 0.0.0.255 192.168.28.0 0.0.0.255 log

permit ip 10.20.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log

permit ip 10.20.20.0 0.0.0.255 192.168.20.0 0.0.0.255 log

deny ip any any log

HTH,

Toshi