Help with Cisco packet tracer ACL 1

[Griffin84]

Hi, I'll start with an apology as I am almost a total noob.

I am doing a project for my final year in college and need to configure a network using packet tracer (I have limited experience with this only static & rip etc) and as part of the project I have to set up a system one router, two switches and create some type of ACL between the two switches. I am looking for advise on what commands to use and/or and other way I could configure this. the rest of the network is simply going to be configured using static routes. Thanks in advance and again sorry!

 

[cisconooblet]

A simple acl between the two routers will do the trick.

TampaRtr1#show run
Building configuration...

Current configuration : 828 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname TampaRtr1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
duplex auto
speed auto
!
ip classless
!
!
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip any any
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end

CCNA, BCNE, Security+, Network +

 

[Griffin84]

Hey,
thanks very much I assume it's just the same with two switches then.

 

[cisconooblet]

Switch1 ---> Router <--- Switch2


Hang one switch off of FA0/0 and the other off FA1/0. Give the the appropriate ip ranges on each switch.... very simple setup. One range of ip's on one switch...the other range of ip's on the other.

CCNA, BCNE, Security+, Network +

 

[Griffin84]

Hi,

I know I'm just not getting this somehow, but would appreciate some further help. I setup a test network in packet tracer and used the ACL as you suggested but it is still allowing traffic both ways, I've included the router configuration below, if someone could help me a little bit more I would appreciate it.

Current configuration : 762 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 199.16.0.1 255.255.128.0
ip access-group 3 in
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 199.16.128.1 255.255.128.0
duplex auto
speed auto
!
interface Serial2/0
no ip address
ipv6 ospf cost 781
shutdown
!
interface Serial3/0
no ip address
ipv6 ospf cost 781
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
ip classless
!
!
access-list 3 deny 166.16.128.0 0.0.0.255
access-list 3 permit any
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end

 

[Griffin84]

sorry ignore the above config file below is the correct one


Router#show run
Building configuration...

Current configuration : 848 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 199.16.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 199.16.1.1 255.255.255.0
ip access-group 101 in
duplex auto
speed auto
!
interface Serial2/0
no ip address
ipv6 ospf cost 781
shutdown
!
interface Serial3/0
no ip address
ipv6 ospf cost 781
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
router rip
network 199.16.1.0
network 199.16.2.0
!
ip classless
!
!
access-list 101 deny ip 199.16.1.0 0.0.0.255 199.16.2.0 0.0.0.255
access-list 101 permit ip any any
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end

 

[cisconooblet]

In packet tracer...change the mode to simulation from real time. (My version has a little tab for it in the bottom right hand corner of the screen) Then open your end user device on the 199.16.1.X side of the route and ping the 199.16.2.X side end user device. Minimize the ping window. Then click the "Capture Forward" button in the simulation window. You can then just step the packet through each step of the network and see whats happening at each point. Once the packet gets to the router it should match your acl and be dropped. If not it should give you a better understanding of what is happening.

CCNA, BCNE, Security+, Network +

 

[Griffin84]

Hey thanks for the help, my ACL was working fine from the code you provided I just hadn't permitted ICMP!