Solved

ACCESS CONTROL LISTS BASIC & EXTENDED PING

Posted on 2011-03-10
6
402 Views
Last Modified: 2012-05-11
According to my instructions I should be able to 'ping' at privileged mode prior to adding the 'ACL', 'From Sanjose1' to 'Vista router - eth0 address x.x.x.x' - host pc connected after adding 'Acl', but i cannot. I dont think i should be able to ping the host pc on 'Vista' although yes can ping the 'Vista Eth0' interface.  what am i missing or are my instructions wrong?  There NOT real addresses just test!!

Building configuration...

Current configuration : 918 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vista
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 192.168.3.1 255.255.255.0
!
interface Serial0
 ip address 192.168.1.1 255.255.255.0
 clock rate 56000
!
interface Serial1
 ip address 192.168.2.1 255.255.255.0
 clock rate 56000
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
router rip
 version 1
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
!
ip http server
ip classless
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
end

vista#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

R    10.0.0.0/8 [120/1] via 192.168.1.2, 00:00:11, Serial0
                [120/1] via 192.168.2.2, 00:00:19, Serial1
C    192.168.1.0/24 is directly connected, Serial0
C    192.168.2.0/24 is directly connected, Serial1
C    192.168.3.0/24 is directly connected, Ethernet0
vista#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES unset  administratively down down    
BRI0:1                     unassigned      YES unset  administratively down down    
BRI0:2                     unassigned      YES unset  administratively down down    
Ethernet0                  192.168.3.1     YES manual up                    up      
Serial0                    192.168.1.1     YES manual up                    up      
Serial1                    192.168.2.1     YES manual up                    up      
vista#

-----------------------------

Building configuration...

Current configuration : 523 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sanjose1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 10.0.0.1 255.255.255.0
!
interface Serial0
 ip address 192.168.1.2 255.255.255.0
!
interface Serial1
 no ip address
 shutdown
!
router rip
 version 1
 network 10.0.0.0
 network 192.168.1.0
!
ip http server
ip classless
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
end

sanjose1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Ethernet0
C    192.168.1.0/24 is directly connected, Serial0
R    192.168.2.0/24 [120/1] via 192.168.1.1, 00:00:17, Serial0
                    [120/1] via 10.0.0.2, 00:00:23, Ethernet0
R    192.168.3.0/24 [120/1] via 192.168.1.1, 00:00:17, Serial0
sanjose1#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0                  10.0.0.1        YES manual up                    up      
Serial0                    192.168.1.2     YES manual up                    up      
Serial1                    unassigned      YES unset  administratively down down    
sanjose1#
-----------------------------

Building configuration...

Current configuration : 608 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sanjose2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 10.0.0.2 255.255.255.0
!
interface Serial0
 no ip address
 no fair-queue
!
interface Serial1
 ip address 192.168.2.2 255.255.255.0
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
router rip
 version 1
 network 10.0.0.0
 network 192.168.2.0
!
ip http server
ip classless
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
!
end

sanjose2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Ethernet0
R    192.168.1.0/24 [120/1] via 192.168.2.1, 00:00:24, Serial1
                    [120/1] via 10.0.0.1, 00:00:05, Ethernet0
C    192.168.2.0/24 is directly connected, Serial1
R    192.168.3.0/24 [120/1] via 192.168.2.1, 00:00:24, Serial1
sanjose2#sh ip int bRief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES unset  administratively down down    
BRI0:1                     unassigned      YES unset  administratively down down    
BRI0:2                     unassigned      YES unset  administratively down down    
Ethernet0                  10.0.0.2        YES manual up                    up      
Serial0                    unassigned      YES manual down                  down    
Serial1                    192.168.2.2     YES manual up                    up      
sanjose2#
0
Comment
Question by:mikey250
  • 4
  • 2
6 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 35097844
There are no ACLs applied in your configurations.  I'm not clear on what you're trying to accomplish, but if you configure a "deny" ACL and apply it to an interface, yes, it will block traffic.  If you're having difficulty pinging a host, many times the problem is routing, that there's no route in the routing table to get back to the source of the ICMP traffic.  If you're trying to ping a host, make sure there's no personal firewall configured on the host.
0
 

Author Comment

by:mikey250
ID: 35098654
apologies for missing off the 'acl' config!!!

my question is should I be able to ping from either sanjose1 or 2 to the Vista host pc specifically or just to the Vista Eth0?

I think my instructions are wrong and that it should only be able to ping to the Vista Eth0 interface and NOT the Vista host pc!!

The 'ACL' was added so that when i do an 'Extended ping from Sanjose1' ie target pc 192.168.3.2 & source: 10.0.0.1 to simulate being on the 10.x.x.x network, which would NOT allow a successful ping.  Task 1 done.  so adding the 'ACL' due to my main question above is useless at this point.

Building configuration...

Current configuration : 918 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vista
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 192.168.3.1 255.255.255.0
 ip access-group 50 out
!
interface Serial0
 ip address 192.168.1.1 255.255.255.0
 clock rate 56000
!
interface Serial1
 ip address 192.168.2.1 255.255.255.0
 clock rate 56000
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
router rip
 version 1
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
!
ip http server
ip classless
!
!
access-list 50 deny   10.0.0.0 0.0.0.255
access-list 50 permit any
!
!
line con 0
line aux 0
line vty 0 4
!
end

vista#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

R    10.0.0.0/8 [120/1] via 192.168.1.2, 00:00:11, Serial0
                [120/1] via 192.168.2.2, 00:00:19, Serial1
C    192.168.1.0/24 is directly connected, Serial0
C    192.168.2.0/24 is directly connected, Serial1
C    192.168.3.0/24 is directly connected, Ethernet0
vista#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES unset  administratively down down    
BRI0:1                     unassigned      YES unset  administratively down down    
BRI0:2                     unassigned      YES unset  administratively down down    
Ethernet0                  192.168.3.1     YES manual up                    up      
Serial0                    192.168.1.1     YES manual up                    up      
Serial1                    192.168.2.1     YES manual up                    up      
vista#
0
 

Author Comment

by:mikey250
ID: 35098669
i have no firewall on my standalone pc!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 18

Assisted Solution

by:jmeggers
jmeggers earned 500 total points
ID: 35108397
If you're blocking anything sourced from 10.0.0.0 out the Eth interface, then that should prevent ICMP traffic sourced from 10.0.0.0/24 from getting to the host that's connected on that interface.  You should still be able to ping the router interface itself.
0
 

Author Comment

by:mikey250
ID: 35110048
yes i can ping the router itself!  it was only because my instructions said I should be able to 'ping' the 'Vista host pc', ALTHOUGH I DONT NOT BELIEVE I SHOULD, in which case as you suggest I SHOULD ONLY BE ABLE TO PING THE VISTA INTERFACE.  If what i say is true then my config WITHOUT adding the 'ACL' is ok and my INSTRUCTIONS are WRONG regarding pinging the Vista eth0 HOST PC specifically!!  This is what im checking on?
0
 

Author Closing Comment

by:mikey250
ID: 35255343
its obvioulsy my instructions that appear incorrect only in this situation.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
server can't ping default gateway 25 113
DHCP snooping on Cisco switch dropping all DHCP traffic 5 102
recover cisco router password 5 48
Does Ping Packet go through Trunk port 4 53
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now