Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
10
Helpful
3
Replies

Access-lists Doubt

sajidkp009
Level 1
Level 1

‎10-23-2014 12:58 AM - edited ‎03-05-2019 12:01 AM

I have a network under a router(192.168.1.0/24). It is connected to multiple networks(x.x.x.x/xx). I need to allow ping from 192.168.1.0 network to all other networks. But none of the other networks can ping to 192.168.1.0/24. How can I use access-lists to implement the scenario ??

Labels:
0 Helpful
3 Replies 3

John Blakley
VIP Alumni
VIP Alumni

‎10-23-2014 03:06 AM

It really depends on if this is a L3 switch or router as to how you can accomplish this. The acl that Houtan has provided is close, but because there's no permit line at the end, it will end up blocking all traffic other than icmp from 192.168.1.0/24. Can you provide a diagram as to where these networks are in relation to the 192.168.1.0/24?

HTH,
John

HTH, John *** Please rate all useful posts ***

houtan haddadlarijani
Level 1
Level 1

‎10-23-2014 03:29 AM

 

Hi,

Use this configuration:

 

access list 101 permit icmp 192.168.1.0 0.0.0.255 any echo

access list 101 deny icmp 192.168.1.0 0.0.0.255 any echo-reply

access list 101 permit ip any any


access list 102 permit icmp any 192.168.1.0 0.0.0.255 echo-reply

access list 102 deny icmp any 192.168.1.0 0.0.0.255 echo

access list 102 permit ip any any 

 

on your 192.168.1.0 network interface side:

-if)# ip access-group 101 in

-if)# ip access-group 102 out

 

P.S: Especial thanks to John

 

HTH

Houtan

 

0 Helpful

paul driver
VIP
VIP

‎10-23-2014 04:16 AM

Hello

I agree with John it all depends if this is a router interface or a L3 SVI interface

Just allow echo-reply in from the interface for that specific network, but make you dont deny routing protocols or other traffic you have etc..
 

Router
access-list 101 permit ospf any any
access-list 101 permit eigrp any any
access-list 101 permit udp any any eq 520
access-list 101 permit icmp x.x.x.x any echo-reply

int x/x
no ip unreachables
ip access-group 101 in

For a layer 3 SVI - (the out means traffic from outside the vlan into this vlan)

int vlan xx
no ip unreachables
ip access-group 101 out

res

Paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card