Access List Problem 1

[Cleereyez]

Hi,

I have been busy trying to figure this access list out.(4 days) lots of simulation, etc, but I am really having a hard time. Maybe someone can help me.
The setup is like this

[ ] Server 1 ( 147.3.0.1)------[ ] Work 2 (147.3.0.2)
|
__________[ SWITCH ]
|
( ) Router1 ( 147.3.0.3 )
|
|
|
( ) Router2 ( 147.3.6.1 )
|
|
[ ] Workstation 3( 147.3.6.2 )

Rules: Worstation 3 can only stay in its subnet, except to go to server1. server1 and work2 needs to be able to access the 147.3.6.0 network.

i have been applying a access list on router2 e0 in that looks like this:
access-list 101 permit ip 147.3.6.0 0.0.0.255 147.3.0.1 0.0.0.0
access-list 101 deny ip 147.3.6.0 0.0.0.255 any
access-list 101 permit any any

and this is applied on e0 in

Any ideas?? Thanks for your help

 

[congogrey]

THe ACL looks okay (assuming E0 points to workstation 3). What is not working with the ACL?

"For every complex problem, there is a solution that is simple, neat and wrong" -- H.L. Mencken

 

[Cleereyez]

Workstation 3 can get to server1, but server1 cannot ping back down to workstation 3

 

[congogrey]

That is strange that it works one way but not another. Change your ACL so that you add logg to the end of each line and add a last line that says 'access-list 101 deny any any'. Then ping workstation three from the server and see which lines of the ACL increment. THat will be able to tell you how it is being blocked.

"For every complex problem, there is a solution that is simple, neat and wrong" -- H.L. Mencken

 

[Cleereyez]

Thanks,

Its almost like something in my acl is blocking incoming traffic too.

 

[camusa]

Is there an access-list on Router1 that could be blocking traffic?

Chris

 

[Cleereyez]

only access list is on router 2's e0 in

 

[vipergg]

They way you wrote it you are allowing everyone on workstation 1's subnet to be passed to the server instead of the individual address of workstation 3 . ACL could not block anything unless you apply the acl out . If you pull the ACL can you ping from the server back down ?

 

[Jynxx]

Here is what you would need for each, assuming no other traffic has to be on this network:

Router1:

access-list 100 permit ip 147.3.0.0 0.0.0.3 147.3.6.0 0.0.0.255
access-list 100 deny ip any any
!
int e0
ip access-group 100 in

Router2:

access-list 100 permit ip host 147.3.6.2 host 147.3.0.1
access-list 100 deny ip host 147.3.6.2 any
access-list 100 permit ip 147.3.6.0 0.0.0.255 147.3.0.0
0.0.0.3
access-list 100 deny ip any any
!
int e0
ip access-group 100 in




This will allow/deny exactly what you want.

Keep in mind, however, that you will need to set up exceptions for your router IP's, for management.

Such as if you wanted to connect to the routers ONLY from the server, for instance, you would need to add the following prior to the deny statements:

Router1:
access-list 100 permit ip host 147.3.0.1 host 147.3.0.3

The 147.3.6.1 is already caught by the ones listed above.