Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

acl problem

Hello there,

I'm stucked with an acl problem. Attached to the message is the topology of an enterprise LAN with a server farm that I'm trying to protect using ACL's. Thre's also an addresssing table.

The goals of the test (a paket tracer activity) are:

1. Prior to configuring access control lists both PCs can ping all servers and access all web pages.

2. After configuring access control lists, PC2, representing a legitimate inside user, can not ping any

server but can access all web pages.

3. After configuring access control lists, PC1, representing a PC set up to maintain switch

configurations, can ping servers in its own VLAN, can not ping other servers, and can not access

any web pages.

There must be 2 acl's one to permit web traffic to the server farm from pc1 and pc 2 and deny all other traffic and another one to permit dns traffic and deny all other. The acl's must be aplied outbound on router 1 and 2 in fa0/0.21, fa0/0.22, fa0/0.23

My choice, which doesn't work, is:

access-list 101 remark web traffic

access-list 101 permit tcp any 172.18.21.0 0.0.7.255 eq 80

access-list 102 reamrk dns traffic

access-list 102 permit tcp any 172.18.21.0 0.0.7.255 eq 53

access-list 102 permit udp any 172.18.21.0 0.0.7.255 eq 53

access-list 102 deny ip any any

What am I doing worng?

Thanks.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

acl problem

For your point 2 - can not ping any server because access list to allow ping has not been configured:

access-list 101 permit icmp any 172.18.21.0 0.0.7.255

access-list 102 permit icmp any 172.18.21.0 0.0.7.255

For your point 3 - can not access any web pages from PC1, you can add the following:

access-list permit tcp any 172.18.21.0 0.0.7.255 eq 80

Hope this helps.

2 REPLIES
Cisco Employee

acl problem

For your point 2 - can not ping any server because access list to allow ping has not been configured:

access-list 101 permit icmp any 172.18.21.0 0.0.7.255

access-list 102 permit icmp any 172.18.21.0 0.0.7.255

For your point 3 - can not access any web pages from PC1, you can add the following:

access-list permit tcp any 172.18.21.0 0.0.7.255 eq 80

Hope this helps.

Community Member

acl problem

Thanks Jennifer,

completion of the activity is now 100!!. The remark command was not allowed in the activity, so even you write correctly the acl statement the app gave you an error.

Thanks again.

374
Views
0
Helpful
2
Replies
CreatePlease to create content