Solved

ACCESS CONTROL LISTS BASIC & EXTENDED PING

Posted on 2011-03-10
6
400 Views
Last Modified: 2012-05-11
According to my instructions I should be able to 'ping' at privileged mode prior to adding the 'ACL', 'From Sanjose1' to 'Vista router - eth0 address x.x.x.x' - host pc connected after adding 'Acl', but i cannot. I dont think i should be able to ping the host pc on 'Vista' although yes can ping the 'Vista Eth0' interface.  what am i missing or are my instructions wrong?  There NOT real addresses just test!!

Building configuration...

Current configuration : 918 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vista
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 192.168.3.1 255.255.255.0
!
interface Serial0
 ip address 192.168.1.1 255.255.255.0
 clock rate 56000
!
interface Serial1
 ip address 192.168.2.1 255.255.255.0
 clock rate 56000
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
router rip
 version 1
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
!
ip http server
ip classless
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
end

vista#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

R    10.0.0.0/8 [120/1] via 192.168.1.2, 00:00:11, Serial0
                [120/1] via 192.168.2.2, 00:00:19, Serial1
C    192.168.1.0/24 is directly connected, Serial0
C    192.168.2.0/24 is directly connected, Serial1
C    192.168.3.0/24 is directly connected, Ethernet0
vista#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES unset  administratively down down    
BRI0:1                     unassigned      YES unset  administratively down down    
BRI0:2                     unassigned      YES unset  administratively down down    
Ethernet0                  192.168.3.1     YES manual up                    up      
Serial0                    192.168.1.1     YES manual up                    up      
Serial1                    192.168.2.1     YES manual up                    up      
vista#

-----------------------------

Building configuration...

Current configuration : 523 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sanjose1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 10.0.0.1 255.255.255.0
!
interface Serial0
 ip address 192.168.1.2 255.255.255.0
!
interface Serial1
 no ip address
 shutdown
!
router rip
 version 1
 network 10.0.0.0
 network 192.168.1.0
!
ip http server
ip classless
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
end

sanjose1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Ethernet0
C    192.168.1.0/24 is directly connected, Serial0
R    192.168.2.0/24 [120/1] via 192.168.1.1, 00:00:17, Serial0
                    [120/1] via 10.0.0.2, 00:00:23, Ethernet0
R    192.168.3.0/24 [120/1] via 192.168.1.1, 00:00:17, Serial0
sanjose1#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0                  10.0.0.1        YES manual up                    up      
Serial0                    192.168.1.2     YES manual up                    up      
Serial1                    unassigned      YES unset  administratively down down    
sanjose1#
-----------------------------

Building configuration...

Current configuration : 608 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sanjose2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 10.0.0.2 255.255.255.0
!
interface Serial0
 no ip address
 no fair-queue
!
interface Serial1
 ip address 192.168.2.2 255.255.255.0
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
router rip
 version 1
 network 10.0.0.0
 network 192.168.2.0
!
ip http server
ip classless
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
!
end

sanjose2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Ethernet0
R    192.168.1.0/24 [120/1] via 192.168.2.1, 00:00:24, Serial1
                    [120/1] via 10.0.0.1, 00:00:05, Ethernet0
C    192.168.2.0/24 is directly connected, Serial1
R    192.168.3.0/24 [120/1] via 192.168.2.1, 00:00:24, Serial1
sanjose2#sh ip int bRief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES unset  administratively down down    
BRI0:1                     unassigned      YES unset  administratively down down    
BRI0:2                     unassigned      YES unset  administratively down down    
Ethernet0                  10.0.0.2        YES manual up                    up      
Serial0                    unassigned      YES manual down                  down    
Serial1                    192.168.2.2     YES manual up                    up      
sanjose2#
0
Comment
Question by:mikey250
  • 4
  • 2
6 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 35097844
There are no ACLs applied in your configurations.  I'm not clear on what you're trying to accomplish, but if you configure a "deny" ACL and apply it to an interface, yes, it will block traffic.  If you're having difficulty pinging a host, many times the problem is routing, that there's no route in the routing table to get back to the source of the ICMP traffic.  If you're trying to ping a host, make sure there's no personal firewall configured on the host.
0
 

Author Comment

by:mikey250
ID: 35098654
apologies for missing off the 'acl' config!!!

my question is should I be able to ping from either sanjose1 or 2 to the Vista host pc specifically or just to the Vista Eth0?

I think my instructions are wrong and that it should only be able to ping to the Vista Eth0 interface and NOT the Vista host pc!!

The 'ACL' was added so that when i do an 'Extended ping from Sanjose1' ie target pc 192.168.3.2 & source: 10.0.0.1 to simulate being on the 10.x.x.x network, which would NOT allow a successful ping.  Task 1 done.  so adding the 'ACL' due to my main question above is useless at this point.

Building configuration...

Current configuration : 918 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vista
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
 ip address 192.168.3.1 255.255.255.0
 ip access-group 50 out
!
interface Serial0
 ip address 192.168.1.1 255.255.255.0
 clock rate 56000
!
interface Serial1
 ip address 192.168.2.1 255.255.255.0
 clock rate 56000
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
router rip
 version 1
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
!
ip http server
ip classless
!
!
access-list 50 deny   10.0.0.0 0.0.0.255
access-list 50 permit any
!
!
line con 0
line aux 0
line vty 0 4
!
end

vista#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

R    10.0.0.0/8 [120/1] via 192.168.1.2, 00:00:11, Serial0
                [120/1] via 192.168.2.2, 00:00:19, Serial1
C    192.168.1.0/24 is directly connected, Serial0
C    192.168.2.0/24 is directly connected, Serial1
C    192.168.3.0/24 is directly connected, Ethernet0
vista#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES unset  administratively down down    
BRI0:1                     unassigned      YES unset  administratively down down    
BRI0:2                     unassigned      YES unset  administratively down down    
Ethernet0                  192.168.3.1     YES manual up                    up      
Serial0                    192.168.1.1     YES manual up                    up      
Serial1                    192.168.2.1     YES manual up                    up      
vista#
0
 

Author Comment

by:mikey250
ID: 35098669
i have no firewall on my standalone pc!
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 18

Assisted Solution

by:jmeggers
jmeggers earned 500 total points
ID: 35108397
If you're blocking anything sourced from 10.0.0.0 out the Eth interface, then that should prevent ICMP traffic sourced from 10.0.0.0/24 from getting to the host that's connected on that interface.  You should still be able to ping the router interface itself.
0
 

Author Comment

by:mikey250
ID: 35110048
yes i can ping the router itself!  it was only because my instructions said I should be able to 'ping' the 'Vista host pc', ALTHOUGH I DONT NOT BELIEVE I SHOULD, in which case as you suggest I SHOULD ONLY BE ABLE TO PING THE VISTA INTERFACE.  If what i say is true then my config WITHOUT adding the 'ACL' is ok and my INSTRUCTIONS are WRONG regarding pinging the Vista eth0 HOST PC specifically!!  This is what im checking on?
0
 

Author Closing Comment

by:mikey250
ID: 35255343
its obvioulsy my instructions that appear incorrect only in this situation.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now