Solved

ACCESS CONTROL LISTS BASIC & EXTENDED PING

Posted on 2011-03-10
6
403 Views
Last Modified: 2012-05-11
According to my instructions I should be able to 'ping' at privileged mode prior to adding the 'ACL', 'From Sanjose1' to 'Vista router - eth0 address x.x.x.x' - host pc connected after adding 'Acl', but i cannot. I dont think i should be able to ping the host pc on 'Vista' although yes can ping the 'Vista Eth0' interface.  what am i missing or are my instructions wrong?  There NOT real addresses just test!!

Building configuration...

Current configuration : 918 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vista
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 192.168.3.1 255.255.255.0
!
interface Serial0
 ip address 192.168.1.1 255.255.255.0
 clock rate 56000
!
interface Serial1
 ip address 192.168.2.1 255.255.255.0
 clock rate 56000
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
router rip
 version 1
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
!
ip http server
ip classless
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
end

vista#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

R    10.0.0.0/8 [120/1] via 192.168.1.2, 00:00:11, Serial0
                [120/1] via 192.168.2.2, 00:00:19, Serial1
C    192.168.1.0/24 is directly connected, Serial0
C    192.168.2.0/24 is directly connected, Serial1
C    192.168.3.0/24 is directly connected, Ethernet0
vista#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES unset  administratively down down    
BRI0:1                     unassigned      YES unset  administratively down down    
BRI0:2                     unassigned      YES unset  administratively down down    
Ethernet0                  192.168.3.1     YES manual up                    up      
Serial0                    192.168.1.1     YES manual up                    up      
Serial1                    192.168.2.1     YES manual up                    up      
vista#

-----------------------------

Building configuration...

Current configuration : 523 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sanjose1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 10.0.0.1 255.255.255.0
!
interface Serial0
 ip address 192.168.1.2 255.255.255.0
!
interface Serial1
 no ip address
 shutdown
!
router rip
 version 1
 network 10.0.0.0
 network 192.168.1.0
!
ip http server
ip classless
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
end

sanjose1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Ethernet0
C    192.168.1.0/24 is directly connected, Serial0
R    192.168.2.0/24 [120/1] via 192.168.1.1, 00:00:17, Serial0
                    [120/1] via 10.0.0.2, 00:00:23, Ethernet0
R    192.168.3.0/24 [120/1] via 192.168.1.1, 00:00:17, Serial0
sanjose1#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0                  10.0.0.1        YES manual up                    up      
Serial0                    192.168.1.2     YES manual up                    up      
Serial1                    unassigned      YES unset  administratively down down    
sanjose1#
-----------------------------

Building configuration...

Current configuration : 608 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sanjose2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 10.0.0.2 255.255.255.0
!
interface Serial0
 no ip address
 no fair-queue
!
interface Serial1
 ip address 192.168.2.2 255.255.255.0
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
router rip
 version 1
 network 10.0.0.0
 network 192.168.2.0
!
ip http server
ip classless
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
!
end

sanjose2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Ethernet0
R    192.168.1.0/24 [120/1] via 192.168.2.1, 00:00:24, Serial1
                    [120/1] via 10.0.0.1, 00:00:05, Ethernet0
C    192.168.2.0/24 is directly connected, Serial1
R    192.168.3.0/24 [120/1] via 192.168.2.1, 00:00:24, Serial1
sanjose2#sh ip int bRief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES unset  administratively down down    
BRI0:1                     unassigned      YES unset  administratively down down    
BRI0:2                     unassigned      YES unset  administratively down down    
Ethernet0                  10.0.0.2        YES manual up                    up      
Serial0                    unassigned      YES manual down                  down    
Serial1                    192.168.2.2     YES manual up                    up      
sanjose2#
0
Comment
Question by:mikey250
  • 4
  • 2
6 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 35097844
There are no ACLs applied in your configurations.  I'm not clear on what you're trying to accomplish, but if you configure a "deny" ACL and apply it to an interface, yes, it will block traffic.  If you're having difficulty pinging a host, many times the problem is routing, that there's no route in the routing table to get back to the source of the ICMP traffic.  If you're trying to ping a host, make sure there's no personal firewall configured on the host.
0
 

Author Comment

by:mikey250
ID: 35098654
apologies for missing off the 'acl' config!!!

my question is should I be able to ping from either sanjose1 or 2 to the Vista host pc specifically or just to the Vista Eth0?

I think my instructions are wrong and that it should only be able to ping to the Vista Eth0 interface and NOT the Vista host pc!!

The 'ACL' was added so that when i do an 'Extended ping from Sanjose1' ie target pc 192.168.3.2 & source: 10.0.0.1 to simulate being on the 10.x.x.x network, which would NOT allow a successful ping.  Task 1 done.  so adding the 'ACL' due to my main question above is useless at this point.

Building configuration...

Current configuration : 918 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vista
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 192.168.3.1 255.255.255.0
 ip access-group 50 out
!
interface Serial0
 ip address 192.168.1.1 255.255.255.0
 clock rate 56000
!
interface Serial1
 ip address 192.168.2.1 255.255.255.0
 clock rate 56000
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
router rip
 version 1
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
!
ip http server
ip classless
!
!
access-list 50 deny   10.0.0.0 0.0.0.255
access-list 50 permit any
!
!
line con 0
line aux 0
line vty 0 4
!
end

vista#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

R    10.0.0.0/8 [120/1] via 192.168.1.2, 00:00:11, Serial0
                [120/1] via 192.168.2.2, 00:00:19, Serial1
C    192.168.1.0/24 is directly connected, Serial0
C    192.168.2.0/24 is directly connected, Serial1
C    192.168.3.0/24 is directly connected, Ethernet0
vista#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES unset  administratively down down    
BRI0:1                     unassigned      YES unset  administratively down down    
BRI0:2                     unassigned      YES unset  administratively down down    
Ethernet0                  192.168.3.1     YES manual up                    up      
Serial0                    192.168.1.1     YES manual up                    up      
Serial1                    192.168.2.1     YES manual up                    up      
vista#
0
 

Author Comment

by:mikey250
ID: 35098669
i have no firewall on my standalone pc!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 18

Assisted Solution

by:jmeggers
jmeggers earned 500 total points
ID: 35108397
If you're blocking anything sourced from 10.0.0.0 out the Eth interface, then that should prevent ICMP traffic sourced from 10.0.0.0/24 from getting to the host that's connected on that interface.  You should still be able to ping the router interface itself.
0
 

Author Comment

by:mikey250
ID: 35110048
yes i can ping the router itself!  it was only because my instructions said I should be able to 'ping' the 'Vista host pc', ALTHOUGH I DONT NOT BELIEVE I SHOULD, in which case as you suggest I SHOULD ONLY BE ABLE TO PING THE VISTA INTERFACE.  If what i say is true then my config WITHOUT adding the 'ACL' is ok and my INSTRUCTIONS are WRONG regarding pinging the Vista eth0 HOST PC specifically!!  This is what im checking on?
0
 

Author Closing Comment

by:mikey250
ID: 35255343
its obvioulsy my instructions that appear incorrect only in this situation.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding 14 151
EIGRP Load sharing 12 75
VIRL IP adress 3 71
route-map permit with a number 1 19
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question