Help with acl

[comptek]

Hey guys I am using Sybex CCNA Virtual Lab Platinum edition and I am on the Chapter 10 regarding access list. I am doing the one on standard access lists and I had a question. The lab wants me to put a standard acl to prevent a host (172.16.50.3)on another net from pinging a pc (172.16.40.3). I put in the acl as instructed and I did verify that the acl works for the intended 50.3pc from not pinging the the other but my problem is that when I ping from 40.3 to 50.3 it does not work. I go to the router that 40.3 is and try to ping 50.3 and cannot. Thinking that it is the acl I remove it from the router that is connected to 40.3 and do it on the router 50.3 is connected to and after applying it I get the same result I cannot ping 50.3 from workstation 40.3 (which is desired) but from the router that 40.3 is connected to I still cannot ping 50.3. If the acl is applied inbound and for a specific host how come my router cannot ping the workstation. Is the problem the software? The acl I am trying to us is access-list 10 deny 172.16.40.3, access-list permit any, ip access-group 10 in on the s0/0 interface of 2600B. I am also enclosing the config from 2600B.







2600B#sh run

Building configuration...
Current configuration : 625 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2600B
!
enable secret 5 $1$u76B$IOFVJ7VxfVXYVpGDrFTcI0
!
ip subnet-zero
!
!
!
!
!
interface FastEthernet0/0
description CONNECTION TO LAN 30
ip address 172.16.50.1 255.255.255.0
no ip directed-broadcast
!
interface Serial0/0
description CONNECTION TO 2600C
ip address 172.16.30.2 255.255.255.0
no ip directed-broadcast
ip access-group 10 in
!
interface FastEthernet0/1
no ip address
no ip directed-broadcast
shutdown
!
interface Serial0/1
no ip address
no ip directed-broadcast
shutdown
!
router rip
version 2
network 172.16.0.0
!
router ospf 12
log-adjacency-changes
network 172.16.0.0 0.0.255.255 area 0
!
!
ip classless
no ip http server
!
!
access-list 10 deny 172.16.40.3
access-list 10 permit any
!
banner login ^C
THIS IS THE 2600B ROUTER
^C
!
line con 0
password 2600B
login
line aux 0
password 2600B
login
line vty 0 4
password 2600B
login
!
end

2600B#
Thanks

Comptek
A+, Network+

 

[CiscoGuy33]

comptek,

First before doing any ACLs - make sure that your network is working - ping everything, do a show ip route and make sure that you are seeing all subnets etc. then apply the ACL. I think you have a routing issue between RIPv2 and OSPF.

A standard ACL blocks the source only - you said "The lab wants me to put a standard acl to prevent a host (172.16.50.3)on another net from pinging a pc (172.16.40.3) but you put -
access-list 10 deny 172.16.40.3
access-list 10 permit any

This will block source 172.16.40.3 from doing anything with that interface if you want 172.16.50.3 to be shut down by the ACL you need -
access-list 10 deny 172.16.50.3
access-list 10 permit any

I configured 2 2610s attached to 2 Cisco Fast400 hubs that were attached to 2 Dell work stations

Dell---hub----2610---2610----hub----Dell
with your IPs and config
50.3---hub---50.1 30.2----30.1 40.1---hub---40.3

and it worked perfect? Only thing I left out was your -
"router OSPF 12" and just used RIP v2

I think it was a routing issue that the ACL had nothing to do with!

Just what I found!


E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[comptek]

CiscoGuy33,

Thanks for all of your help not only on this post but previous ones also. Well, let me start off by saying that the config I sent you and the whole 50.3 ping 40.3 thing was mixed up. What I did was after I did the lab the first time and found out that I was not able to ping the host that I was blocking I removed the acl and wnet to the other router 2600B and did the same acl but different numbers. That was why my config and the question were off. I am going to paste the exact question and config in a bit. I did what you said and looked at all of my routes on all 3 routers 2600A==2600C==2600B (there are switches and hosts too). Host 40.3 (E) before the acl was able to ping host 50.3 (F). The 2600A router was also able to ping 50.3. After I put the acl to deny host 172.16.50.3 on router 2600a, I was no longer able to ping 40.3 (like the lab said from Host F), but when I went to test that the pings from other routers I noticed that I can no longer ping from 2600a to 50.3. Here is the config plus the lab instructions.

Lab 10.1: Standard IP Access-Lists

This lab will have you block access to network 172.16.40.0 from host F. Access-lists can be tricky because if you do not create your lists correctly, you can bring the network down.



1. Verify that you can ping to the 1900A switch and that you can ping HostE from host F.



2. Connect to the 2600A router and create an access-list that block access from host F trying to get to network 172.16.40.0.



2600A#config t

2600A(config)#access-list 10 deny host 172.16.50.3

2600A(config)#access-list 10 permit any



That’s all were going to do for the list. Remember that IP standard access-lists should be created closest to the destination network, which is why we built that access-list on 2600A.



3. Add the access-list to the serial 0/0 interface of 2600A.



2600A(config)#interface serial 0/0

2600A(config-if)#ip access-group 10 in



This applied the access-list 10 to the serial 0/0 interface of 2600A and filtered any incoming packets.



4. Check to see that Host F can no longer ping to 172.16.40.2 and 172.16.40.3.



5. If the access-list is correct, all other devices should still be able to reach network 172.16.40.0. Ping from the 2600C router and verify that you can reach 172.16.40.2 and 172.16.40.3.




+++++++++++++++++++++++++++
2600A Con0 is now available



Press RETURN to get started!



THIS IS THE 2600A ROUTER

User Access Verification

Password:
Password:

2600A>en
Password:
2600A#config t
Enter configuration commands, one per line. End with CNTL/Z
2600A(config)#access-list 10 deny 172.16.50.3
% Incomplete command.
2600A(config)#access-list 10 deny host 172.16.50.3
2600A(config)#access-list 10 permit any
2600A(config)#config t
% Incomplete command.
2600A(config)#ip access-group 10 in
^
% Invalid input detected at '^' marker.
2600A(config)#int s0/0
2600A(config-if)#ip access-group 10 in
2600A(config-if)#exit
2600A(config)#exit
2600A#ping 172.16.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
2600A#ping 172.16.50.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.50.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5), round-trip min/avg/max = 0/0/0 ms
2600A#sh run

Building configuration...
Current configuration : 625 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2600A
!
enable secret 5 $1$u76B$IOFVJ7VxfVXYVpGDrFTcI0
!
ip subnet-zero
!
!
!
!
!
interface FastEthernet0/0
description CONNECTION TO LAN 40
ip address 172.16.40.1 255.255.255.0
no ip directed-broadcast
!
interface Serial0/0
description CONNECTION TO 2600C
ip address 172.16.20.2 255.255.255.0
no ip directed-broadcast
ip access-group 10 in
!
interface FastEthernet0/1
no ip address
no ip directed-broadcast
shutdown
!
interface Serial0/1
no ip address
no ip directed-broadcast
shutdown
!
router ospf 10
log-adjacency-changes
network 172.16.0.0 0.0.255.255 area 0
!
!
ip classless
no ip http server
!
!
access-list 10 deny 172.16.50.3
access-list 10 permit any
!
cdp timer 60
cdp holdtime 180
banner login ^C
THIS IS THE 2600A ROUTER
^C
!
line con 0
password 2600a
login
line aux 0
password 2600A
login
line vty 0 4
password 2600a
login
!
end

2600A#

With just the standard acl it should just prevent 50.3 from being able to ping 40.0 network right? It should not prevent the 2600A (40.0 network) from pinging 50.3? I am able to still ping 2600C (20.0). Keep in mind that I am using CCNA Virtual lab software and not real routers.

Sorry I am just trying to get this right.

Thanks

Comptek
A+, Network+

 

[CiscoGuy33]

Comptek,

This standard ACL will prevent the source 172.16.50.3 from doing ANYTHING through whatever interface it is applied!

access-list 10 deny 172.16.50.3
access-list 10 permit any

This ACL should not do anything else to any other device other then 50.3!

I know you are following a lab but remember that a Standard ACl should be placed as close to the destination as possible and Extended ACLs as close to the source as possible.

Hope this helps!


E.A. Broda
CCNA, CCDA, CCAI, Network +