| Access-List problem Hi I was douing a simple ACL configuration on my litle network
What I have is a wireless router set up as access point on FA0/1 and I wanted to block that network 162.10.1.0 from reaching my server network on FA0/0 network 192.168.1.0.
I dont want to shut down the FA0/1 interfaces because those notebooks need to reach other devices on that router such as shared server and another private LAN on FA0/0/0 and FA0/0/2.
What I did is this
STL#conf t
Enter configuration commands, one per line. End with CNTL/Z.
STL(config)#access-list 25 deny 162.10.1.0 0.0.0.255
STL(config)#access-list 25 permit any
STL(config)#int fa0/0
STL(config-if)#ip access-group 25 out
STL(config-if)#end
STL#
after I was done I was still able to ping from a workstation on 16.10.1.0 network any server on FA0/0
Did I make a mistake some place? I even checked ciscos web site on acl configuration and according to that this should work.
Thanks for any advice |
|
1 edit | Two things.
1. Why are you using routable IP space on your LAN? That's just asking for trouble. Review RFC1918 for the correct IP address space to use internally.
2. Secondly, your ACL blocks 162.10.1.x but in your last statement you say that the IP is 16.10.1.x. Is this a typo?
As for placement of the ACL, imagine yourself as the router, sticks your arms out to the side and give each one an interface. So for the WAN side, say that's your right arm. To block traffic coming INTO the router you would specify the traffi as INBOUND.
Same principles apply to your left arm.
--
"There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy |
|
| reply to krock83
Sorry I misstyped the last Ip address. it's 162 not 16
Im just using these Ip addresses for this lab I will remove it once I got it figured out.
let me try your strategy hopefully it's that simple
Thanks |
|
|
|
1 edit | reply to krock83
Ok cool that works... I cant get to the 192.168.1.x network but I cant get to the other 2 networks that I should be able to ge tot on fa0/0/0 and fa0/0/2 |
|
| said by krock83:Ok cool that works... I cant get to the 192.168.1.x network but I cant get to the other 2 networks that I should be able to ge tot on fa0/0/0 and fa0/0/2 So you got it working then?
--
"There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy |
|
| reply to krock83
All I did is cahnged this
STL(config-if)#ip access-group 25 out
to
STL(config-if)#ip access-group 25 in
Now I cant ping from network 162.10.1.0 to network 192.168.1.0 that is what I wanted.
But on the same router on interfaces fa0/0/0 and fa0/0/2 I have 2 more networks, network 192.168.20.0 and network 192.168.30.0 that I cant ping from 162.10.1.0 network. I should be able to ping it because I didnt put any ACL restrictions on those interfaces. Now it looks liek that it's blocking everything, if I canted this I could have shut that interface down, because that is how it acts now. |
|
| said by krock83:All I did is cahnged this STL(config-if)#ip access-group 25 out to STL(config-if)#ip access-group 25 in Now I cant ping from network 162.10.1.0 to network 192.168.1.0 that is what I wanted. But on the same router on interfaces fa0/0/0 and fa0/0/2 I have 2 more networks, network 192.168.20.0 and network 192.168.30.0 that I cant ping from 162.10.1.0 network. I should be able to ping it because I didnt put any ACL restrictions on those interfaces. Now it looks liek that it's blocking everything, if I canted this I could have shut that interface down, because that is how it acts now. That's because your ACL denies the entire 162.10.1.x network from going into that interface. One workaround for this is to use an extended ACL and sepcify both source and destination IP addresses. That would be my preferred method.
--
"There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy |
|
| reply to krock83
Yes the ACL denies everything going into the fa0/0 interface but interfaces fa0/0/0 and fa0/0/2 have no ACL statments and I dont see why I cant get to thosr work stations on those interfaces |
|
| Post up your config sans passwords and what not. |
|
| reply to krock83
@phantasm11b
I rather like your way of figuring out which way traffic should is
flowing, very nice! 
Regards |
|
| said by HELLFIRE:@phantasm11b I rather like your way of figuring out which way traffic should is flowing, very nice! :D Regards Thanks. I learned that somewhere and it has served me well.
@OP: I'd need to see the config to see if anything else going on. In the interim try adding this ACL to Fa0/1; be sure to remove the other one from Fa0/0:
access-list 100 deny ip 162.10.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 162.10.1.0 0.0.0.255 any
Apply that inbound of Fa0/1. That should prevent 162.10.1.x from reaching 192.168.1.x but allow all other traffic.
Let me know how that works for you.
--
"There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy |
|
| reply to krock83
@phantasm11b
Thank you... I got it to work yesterday with standard ACL, but took that one off and applied this one and works much better now. Thank you. Next chapter covers extended ACL's hopefully they will have some good labs there as well |
|
