Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-lists Doubt

I have a network under a router(192.168.1.0/24). It is connected to multiple networks(x.x.x.x/xx). I need to allow ping from 192.168.1.0 network to all other networks. But none of the other networks can ping to 192.168.1.0/24. How can I use access-lists to implement the scenario ??

Everyone's tags (1)
3 REPLIES

It really depends on if this

It really depends on if this is a L3 switch or router as to how you can accomplish this. The acl that Houtan has provided is close, but because there's no permit line at the end, it will end up blocking all traffic other than icmp from 192.168.1.0/24. Can you provide a diagram as to where these networks are in relation to the 192.168.1.0/24?

HTH,
John

HTH, John *** Please rate all useful posts ***

 Hi,Use this configuration: 

 

Hi,

Use this configuration:

 

access list 101 permit icmp 192.168.1.0 0.0.0.255 any echo

access list 101 deny icmp 192.168.1.0 0.0.0.255 any echo-reply

access list 101 permit ip any any


access list 102 permit icmp any 192.168.1.0 0.0.0.255 echo-reply

access list 102 deny icmp any 192.168.1.0 0.0.0.255 echo

access list 102 permit ip any any 

 

on your 192.168.1.0 network interface side:

-if)# ip access-group 101 in

-if)# ip access-group 102 out

 

P.S: Especial thanks to John

 

HTH

Houtan

 

Hello I agree with john it

Hello

I agree with John it all depends if this is a router interface or a L3 SVI interface

Just allow echo-reply in from the interface for that specific network, but make you dont deny routing protocols or other traffic you have etc..
 

Router
access-list 101 permit ospf any any
access-list 101 permit eigrp any any
access-list 101 permit udp any any eq 520
access-list 101 permit icmp x.x.x.x any echo-reply

int x/x
no ip unreachables
ip access-group 101 in

For a layer 3 SVI - (the out means traffic from outside the vlan into this vlan)

int vlan xx
no ip unreachables
ip access-group 101 out

res

Paul

 

Please don't forget to rate any posts that have been helpful. Thanks.
59
Views
10
Helpful
3
Replies