Extended Access Control List Problem

Document

Fri, 10/01/2010 - 21:29
Oct 1st, 2010
User Badges:

Hello Guys



                  I am very frustrated today with the extended control list , here is the topology in the diagram below , i want that the pc2 which has a ip

of 192.168.40.2 /24 cant ping the router 1 interfaces to accomplish this, i configure Router 1 with the acl of


access-list 102 deny   icmp any host 192.168.40.2
access-list 102 permit ip any any


and put that acl on s1/1 interface


interface Serial1/1
ip address 192.168.20.1 255.255.255.0
ip access-group 102 in
serial restart-delay 0
clock rate 64000



after implement this configuration the pc 2(192.168.40.2)can still ping the router 1 , but pc2 (192.168.40.2)cant the the router2 s1/0 interface which has a ip address 192.168.10.2 .



Untitled.png






i dont know what wrong with my acl configuration i know u guys can help me.



Please replay me soon

WARM REGARDS

ASHISH SOOD

Loading.
Collin Clark Fri, 10/01/2010 - 06:32
User Badges:
  • Purple, 4500 points or more

Here's a hint: Check which interface the ACL should be applied too or the ACL direction.

gopiredd Fri, 10/01/2010 - 19:14
User Badges:

Hi Ashish,


If i understand correctly , you want the PC 2 not to ping the Router 1's interface. If this is correct here is the configuration.


access-list 102 deny  icmp  host 192.168.40.2 host 192.168.20.1
access-list 102 permit ip any any


and apply that acl on s1/1 interface


interface Serial1/1
ip address 192.168.20.1 255.255.255.0
ip access-group 102 in


Note that only the ICMP traffic destined to Router 1's 192.168.20.1 ip address sourced from PC 2 will be dropped.


If you want to drop all the ICMP traffic originated from PC2 then use the following:


access-list 102 deny  icmp  host 192.168.40.2 any
access-list 102 permit ip any any


Gopinath

ashu_genius Fri, 10/01/2010 - 21:29
User Badges:

Thanks Gopinath


after configure exactly what u say , the pc2 still can ping the R1 s1/1 interface but r1 is not reply all the icmp echo packet to pc2 , it replay only the certain packets... below is the output of the vpcs 2



VPCS 2 >ping 192.168.20.1
192.168.20.1 icmp_seq=1 time=32.000 ms
192.168.20.1 icmp_seq=2 timeout
192.168.20.1 icmp_seq=3 time=40.000 ms
192.168.20.1 icmp_seq=4 timeout
192.168.20.1 icmp_seq=5 time=39.000 ms

Actions

This Document