Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Certification Preparation
Cisco
CCST & CCNA (Entry-level & Associate)
access lists....help !
live_wire
just started studying access lists...and damn, ran into problems..
ok this is the scenario. I have a 2621 router and a 2950 switch
- the switch is connected to Fa0/0
- 5 hosts are connected to this switch (ip-address range 192.168.1.11 to 15, and the switch 1.10)
- fa0/1 has an ip address of 192.168.10.1 and haas one host connected to it (192.168.10.10)
now i want only one host(192.168.1.11) from 192.168.1.0/24 network to connect to 192.168.10.10
this is what i did
access-list 5 deny 192.168.1.11 0.0.0.0
access-list 5 permit 192.168.1.0 0.0.0.255 or access-list 5 permit any
ip access-group 5 in ( this i implemented on fa0/1 interface of the route, so scan inbound ).
Observation:-
- none of the hosts of 192.68.1.0/24 are able to ping 192.168.10.10
- host 192.168.10.10 is not able to ping any of the hosts on 192.168.1.0/24 network
what could b wrong with the above access-list...( i think i am a bit confused ) ???
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
gojericho0
Hi live_wire
Your first statement:
access-list 5 deny 192.168.1.11 0.0.0.0
Is denying the traffic flow you are trying to allow. Also remember there is a explicit deny not seen in the access lists.
If you are placing the access list on Fa0/1 you would also make it outbound since it is leaving the router on its way to the 192.168.10.0/24 network
jediknight
Your ACL is backwards
. Let's start over.
Host 192.168.10.10 will not be able to ping any hosts because you have your ACL implemented on fa0/1 inbound which would block
all traffic from that host to the 192.168.1.0 network due to the implicit deny. Also when hosts on the 192.168.1.0 network ping 192.168.10.10 the echo request will make it to the host 192.168.10.10, but the echo reply will be blocked due to the ACL preventing all traffic from the 192.168.10.10 (setup an ext ACL to allow ICMP traffic from this host and you can verify this)
Here is what you would want to do with this case:
access-list 5 permit host 192.168.1.11
(unseen implicit deny here, do not type what is in these parenthesis)
then
ip access-group 5 in (apply this on the fa0/0 interface)
Now only the 192.168.1.11 host can send traffic and all other traffic will be denied due to the implicit deny at the end of the ACL. This ACL would only meet the requirements of what you were looking for in your post.
live_wire
thanx , damn i hav to practice a lot.
I will post wen i get doubts. So please bear with me.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
