dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
486
share rss forum feed

xdxml12

join:2012-10-26

ACL

Hello,

I was playing around with the concept of ACL and came across some issues. Host A and Host B can ping with no problems (they are on diff subnets) What I did was creat a standard ACL named TEST and added a deny host A from pinging host B. This worked fine. When I added several other deny statements as a test, and removed my initial deny statement for host A to ping B, I cannot ping Host B even though i removed that specific deny.

So I read and found that all ACL have a deny any by default. So what I did was to write permit any to counter the deny any, and then added a lower sequence # deny for host A to ping B.

But no matter how low i make that sequence# for the deny statement I am always able to ping host B.

So in summary,

1.Deny worked initially
2.Added other deny statements, removed initial deny specific for host a to b, cannot ping B
3.Added permit any, was able to ping Host B
4.Added lower seq deny for A to ping B, does not work, I am always able to ping host B

Where am i going wrong here?

btw, i tried doing it the other way round. Leaving that deny any, and just permitting that specific host a to ping b. Does not work.


aryoba
Premium,MVM
join:2002-08-22
kudos:4

Without posting your actual ACL, people here can only guess what the issue is. My take on this is that either you denied/permit incorrect protocol, TCP/UDP port, or ICMP type numbers in addition to the usual ACL line order. Specifically for ICMP, be familiar with the IANA take of ICMP in order to understand what ICMP industry standard is.

»www.iana.org/assignments/icmp-pa···ters.xml


xdxml12

join:2012-10-26

I have attached the access list here.

ACL name is test

I applied the access list group test to int fa 0/0 IN on router one

If i remove the "permit any" the host 192.168.1.10 wont be able to go out. But even if i remove the deny 5 i still cannot ping from 192.168.1.10.


xdxml12

join:2012-10-26


acl
I have attached the access list here.

ACL name is test

I applied the access list group test to int fa 0/0 IN on router one

If i remove the "permit any" the host 192.168.1.10 wont be able to go out. But even if i remove the deny 5 i still cannot ping from 192.168.1.10.

...

xdxml12

join:2012-10-26
reply to xdxml12

Never mind, simple issue with ip address, problem solved

Thanks


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to xdxml12

May want to go back and read up on ACLs. It's a real pain, I know... I went through that myself.

Having alittle difficulty figuring what it was you tried or were trying to do, but some general tips
about ACLs :

a) Standard are for source-only, Extended should be used for source-and-destination-and-protocol constructs (IIRC)
b) they are processed top-down, and have a hidden deny-any
c) best practice say permit what you need and deny the rest.

Remeber that and you should be in pretty good shape.

Regards


xdxml12

join:2012-10-26

Thanks

Tips jotted down