How to apply access list with following condition
vawk
Registered Users Posts: 4 ■□□□□□□□□□
I want to apply access list on router so that HostA cannot ping HostB, but HostB can ping HostA. Is it possible? Is their any concept of inbound and outbound applies here? Thanks in advance.
Comments
-
theodoxa Member Posts: 1,340 ■■■■□□□□□□I've never tried it, but you might/should be able to specify "echo-request" and "echo-reply" in the appropriate directions.
[EDIT] I assume A and B are of different subnets/VLANs and that you are doing RoAS with the router to route between the subnets. If they're on the same subnet/VLAN, then you'd need to look into VACLs, which I'm not sure would be fully supported by the 2950.R&S: CCENT → CCNA → CCNP → CCIE [ ]
Security: CCNA [ ]
Virtualization: VCA-DCV [ ] -
atorven Member Posts: 319If they are both in different vlans then you need to deny icmp echo traffic coming in from HostA
-
OfWolfAndMan Member Posts: 923 ■■■■□□□□□□Let's keep it simple. This will require an extended access list.
#access-list 101 deny icmp [source ip] [source mask] [destination ip] [destination mask] echo
#access-list 101 deny icmp [source ip] [source mask] [destination ip] [destination mask] echo-reply
#access-list 101 permit ip any any
Then apply it to the appropriate port or SVI, depending on how you want to go about it.:study:Reading: Lab Books, Ansible Documentation, Python Cookbook 2018 Goals: More Ansible/Python work for Automation, IPSpace Automation Course [X], Build Jenkins Framework for Network Automation [] -
atorven Member Posts: 319If you deny echo reply then the HostA replies won't be received by HostB therefore a ping from host B would fail.
-
theodoxa Member Posts: 1,340 ■■■■□□□□□□If you deny echo reply then the HostA replies won't be received by HostB therefore a ping from host B would fail.
You deny echo-reply only for packets sourced from A and destined for B using an Extended ACL
deny icmp host <Host A IP Address> host <Host B IP Address> echo-reply
permit ip any any
These two lines would prevent PING responses from coming back to A from B, but not vice-versa. Ideally, though you would want to block the PINGs before they ever got to Host B [to avoid wasting its resources].R&S: CCENT → CCNA → CCNP → CCIE [ ]
Security: CCNA [ ]
Virtualization: VCA-DCV [ ]