access list question using boson
hankooknara
Inactive Imported Users Posts: 24 ■□□□□□□□□□
in CCNA & CCENT
Below configs are in for router 2 and router 4.
Before access list was put in, both were able to ping.
After putting the access list, I understand that router 4 would not be able to ping router 2.
However, shouldn't router 2 be able to still ping router 4?
I am using boson and perhaps there is a mistake with the sim..
Can someone comment?
Thank you.
router 2 config
interface Ethernet0
ip address 24.17.2.2 255.255.255.240
no ip directed-broadcast
ip access-group 1 in
!
!
router rip
network 24.0.0.0
!
access-list 1 deny host 24.17.2.18
access-list 1 permit any
router 4 config
interface Serial0
ip address 24.17.2.18 255.255.255.240
encapsulation frame-relay
!
router rip
network 24.0.0.0
Before access list was put in, both were able to ping.
After putting the access list, I understand that router 4 would not be able to ping router 2.
However, shouldn't router 2 be able to still ping router 4?
I am using boson and perhaps there is a mistake with the sim..
Can someone comment?
Thank you.
router 2 config
interface Ethernet0
ip address 24.17.2.2 255.255.255.240
no ip directed-broadcast
ip access-group 1 in
!
!
router rip
network 24.0.0.0
!
access-list 1 deny host 24.17.2.18
access-list 1 permit any
router 4 config
interface Serial0
ip address 24.17.2.18 255.255.255.240
encapsulation frame-relay
!
router rip
network 24.0.0.0
Comments
-
mzinz
Member Posts: 328
Everying looks fine to me.
I've been using the Boson sim as well. It's a nice program, it really is, but it isn't perfect
_______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801 -
EdTheLad
Member Posts: 2,111 ■■■■□□□□□□
hankooknara wrote:Below configs are in for router 2 and router 4.
Before access list was put in, both were able to ping.
After putting the access list, I understand that router 4 would not be able to ping router 2.
However, shouldn't router 2 be able to still ping router 4?
I am using boson and perhaps there is a mistake with the sim..
Can someone comment?
Thank you.
router 2 config
interface Ethernet0
ip address 24.17.2.2 255.255.255.240
no ip directed-broadcast
ip access-group 1 in
!
!
router rip
network 24.0.0.0
!
access-list 1 deny host 24.17.2.18
access-list 1 permit any
router 4 config
interface Serial0
ip address 24.17.2.18 255.255.255.240
encapsulation frame-relay
!
router rip
network 24.0.0.0
You can ping from r2 to r4, you created an access-list to block the source address of r4, this is applied on the input to r2.Now any packets coming from source r4 are discarded at ingress to r2.
When you ping from r4 to r2 the interface will check the source ip address and block the ping.When you ping from r2 to r4, the ping will arrive on r4 get send to layer 3 for processing,r4 will see its a ping and know it must reply,r4 creates an ip packet with r4 ip address in the source field.R4 transmits the ping reply to r2,r2 receives checks the access list on the ingress interface,see's a match for the source ip r4 and discards.No ping
reply is received.Networking, sometimes i love it, mostly i hate it.Its all about the $$$$ -
hankooknara
Inactive Imported Users Posts: 24 ■□□□□□□□□□
thank u ...
interesting however, so based on tcp connection in or out woudln't realli matter since it's two way connection as always -
Danman32
Member Posts: 1,243
Ping is ICMP, not TCP. You used a standard ACL which filters on IP source address only.
You could use an extended list that allowed echo replies through. But as Hank said, a ping is a two way handshake. Source of ping is a request for a reply. The destination responds with an echo reply packet using ICMP protocol.
If ping were TCP, then you could also set up an extended ACL that used the established keyword. That's how you allow things such as HTTP or email communications originating from the inside. If there weren't such a keyword, then the replies to such requests would be blocked.
Most communications is a dialog, so you have to consider the path of the answer as well as the path of the request. Sometimes I forget this when setting up static routes relying on default routes. That's fine for packets getting out, but how do the reply packets get back, if the front end router knows nothing about the back end network?