Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Could someone give me a bit of advice on ACLs please

Hello,

I am trying to get ACLs working on a packet tracer network for a college assignment but I'm hitting brick walls and could do with some advice please!

I need to create an ACL that will allow web traffic from a host on one LAN to an internal webserver on a separate LAN and external webserver. I have tried the following ACL applied to the inbound interface of the router the host is connected to but it keeps failing.

My extended ACL looks like the following; 

access-list 150 permit tcp any host 172.40.56.254 eq domain - (this is the internal DNS server address)
access-list 150 permit tcp any host 172.40.56.254 eq www - (this is the internal HTTP server address | www.jrt.com)
access-list 150 permit tcp any host 192.168.16.2 eq www - (this is the external HTTP server address)

When I try www.jrt.com in the browser in simulation mode when the packet hits the router I get the red envelope with "1. The device sends back an ICMP Administratively Prohibited Unreachable message."

What am I doing wrong?

 

Thanks in advance

***** Please note I am unable to reply to any comments for some unknown reason*****

I only want to allow DNS and web traffic, the assignment requires me to allow access to a website but nothing else, no ping etc.

I created the ACL above thinking that that would allow just the traffic I need to allow and deny anything else, but like I say I am unable to get the web page up from the browser of the host.

I can get the site using "permit ip any 172.40.56.254" but that also allows ping replies which I need to deny

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

The error says ICMP - ICMP is

The error says ICMP - ICMP is used by ping (echo and echo reply packets).

Your access-list entries don't allow icmp ( a protocol type in itself) - only "domain" and "www" (udp/53 and tcp/80).

2 REPLIES
Hall of Fame Super Silver

The error says ICMP - ICMP is

The error says ICMP - ICMP is used by ping (echo and echo reply packets).

Your access-list entries don't allow icmp ( a protocol type in itself) - only "domain" and "www" (udp/53 and tcp/80).

Cisco Employee

Correct as Marvin said on the

Correct as Marvin said on the access list you are not permitting ICMP. If you test with that protocol the test is supposed to fail.

85
Views
1
Helpful
2
Replies
CreatePlease to create content