• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 424
  • Last Modified:

ACCESS CONTROL LISTS BASIC & EXTENDED PING

According to my instructions I should be able to 'ping' at privileged mode prior to adding the 'ACL', 'From Sanjose1' to 'Vista router - eth0 address x.x.x.x' - host pc connected after adding 'Acl', but i cannot. I dont think i should be able to ping the host pc on 'Vista' although yes can ping the 'Vista Eth0' interface.  what am i missing or are my instructions wrong?  There NOT real addresses just test!!

Building configuration...

Current configuration : 918 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vista
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 192.168.3.1 255.255.255.0
!
interface Serial0
 ip address 192.168.1.1 255.255.255.0
 clock rate 56000
!
interface Serial1
 ip address 192.168.2.1 255.255.255.0
 clock rate 56000
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
router rip
 version 1
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
!
ip http server
ip classless
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
end

vista#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

R    10.0.0.0/8 [120/1] via 192.168.1.2, 00:00:11, Serial0
                [120/1] via 192.168.2.2, 00:00:19, Serial1
C    192.168.1.0/24 is directly connected, Serial0
C    192.168.2.0/24 is directly connected, Serial1
C    192.168.3.0/24 is directly connected, Ethernet0
vista#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES unset  administratively down down    
BRI0:1                     unassigned      YES unset  administratively down down    
BRI0:2                     unassigned      YES unset  administratively down down    
Ethernet0                  192.168.3.1     YES manual up                    up      
Serial0                    192.168.1.1     YES manual up                    up      
Serial1                    192.168.2.1     YES manual up                    up      
vista#

-----------------------------

Building configuration...

Current configuration : 523 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sanjose1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 10.0.0.1 255.255.255.0
!
interface Serial0
 ip address 192.168.1.2 255.255.255.0
!
interface Serial1
 no ip address
 shutdown
!
router rip
 version 1
 network 10.0.0.0
 network 192.168.1.0
!
ip http server
ip classless
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
end

sanjose1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Ethernet0
C    192.168.1.0/24 is directly connected, Serial0
R    192.168.2.0/24 [120/1] via 192.168.1.1, 00:00:17, Serial0
                    [120/1] via 10.0.0.2, 00:00:23, Ethernet0
R    192.168.3.0/24 [120/1] via 192.168.1.1, 00:00:17, Serial0
sanjose1#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0                  10.0.0.1        YES manual up                    up      
Serial0                    192.168.1.2     YES manual up                    up      
Serial1                    unassigned      YES unset  administratively down down    
sanjose1#
-----------------------------

Building configuration...

Current configuration : 608 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sanjose2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 10.0.0.2 255.255.255.0
!
interface Serial0
 no ip address
 no fair-queue
!
interface Serial1
 ip address 192.168.2.2 255.255.255.0
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
router rip
 version 1
 network 10.0.0.0
 network 192.168.2.0
!
ip http server
ip classless
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
!
end

sanjose2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Ethernet0
R    192.168.1.0/24 [120/1] via 192.168.2.1, 00:00:24, Serial1
                    [120/1] via 10.0.0.1, 00:00:05, Ethernet0
C    192.168.2.0/24 is directly connected, Serial1
R    192.168.3.0/24 [120/1] via 192.168.2.1, 00:00:24, Serial1
sanjose2#sh ip int bRief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES unset  administratively down down    
BRI0:1                     unassigned      YES unset  administratively down down    
BRI0:2                     unassigned      YES unset  administratively down down    
Ethernet0                  10.0.0.2        YES manual up                    up      
Serial0                    unassigned      YES manual down                  down    
Serial1                    192.168.2.2     YES manual up                    up      
sanjose2#
0
mikey250
Asked:
mikey250
  • 4
  • 2
2 Solutions
 
jmeggersSr. Network and Security EngineerCommented:
There are no ACLs applied in your configurations.  I'm not clear on what you're trying to accomplish, but if you configure a "deny" ACL and apply it to an interface, yes, it will block traffic.  If you're having difficulty pinging a host, many times the problem is routing, that there's no route in the routing table to get back to the source of the ICMP traffic.  If you're trying to ping a host, make sure there's no personal firewall configured on the host.
0
 
mikey250Author Commented:
apologies for missing off the 'acl' config!!!

my question is should I be able to ping from either sanjose1 or 2 to the Vista host pc specifically or just to the Vista Eth0?

I think my instructions are wrong and that it should only be able to ping to the Vista Eth0 interface and NOT the Vista host pc!!

The 'ACL' was added so that when i do an 'Extended ping from Sanjose1' ie target pc 192.168.3.2 & source: 10.0.0.1 to simulate being on the 10.x.x.x network, which would NOT allow a successful ping.  Task 1 done.  so adding the 'ACL' due to my main question above is useless at this point.

Building configuration...

Current configuration : 918 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vista
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 192.168.3.1 255.255.255.0
 ip access-group 50 out
!
interface Serial0
 ip address 192.168.1.1 255.255.255.0
 clock rate 56000
!
interface Serial1
 ip address 192.168.2.1 255.255.255.0
 clock rate 56000
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
router rip
 version 1
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
!
ip http server
ip classless
!
!
access-list 50 deny   10.0.0.0 0.0.0.255
access-list 50 permit any
!
!
line con 0
line aux 0
line vty 0 4
!
end

vista#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

R    10.0.0.0/8 [120/1] via 192.168.1.2, 00:00:11, Serial0
                [120/1] via 192.168.2.2, 00:00:19, Serial1
C    192.168.1.0/24 is directly connected, Serial0
C    192.168.2.0/24 is directly connected, Serial1
C    192.168.3.0/24 is directly connected, Ethernet0
vista#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES unset  administratively down down    
BRI0:1                     unassigned      YES unset  administratively down down    
BRI0:2                     unassigned      YES unset  administratively down down    
Ethernet0                  192.168.3.1     YES manual up                    up      
Serial0                    192.168.1.1     YES manual up                    up      
Serial1                    192.168.2.1     YES manual up                    up      
vista#
0
 
mikey250Author Commented:
i have no firewall on my standalone pc!
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
jmeggersSr. Network and Security EngineerCommented:
If you're blocking anything sourced from 10.0.0.0 out the Eth interface, then that should prevent ICMP traffic sourced from 10.0.0.0/24 from getting to the host that's connected on that interface.  You should still be able to ping the router interface itself.
0
 
mikey250Author Commented:
yes i can ping the router itself!  it was only because my instructions said I should be able to 'ping' the 'Vista host pc', ALTHOUGH I DONT NOT BELIEVE I SHOULD, in which case as you suggest I SHOULD ONLY BE ABLE TO PING THE VISTA INTERFACE.  If what i say is true then my config WITHOUT adding the 'ACL' is ok and my INSTRUCTIONS are WRONG regarding pinging the Vista eth0 HOST PC specifically!!  This is what im checking on?
0
 
mikey250Author Commented:
its obvioulsy my instructions that appear incorrect only in this situation.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now