access lists....help !
live_wire
Member Posts: 21 ■□□□□□□□□□
in CCNA & CCENT
just started studying access lists...and damn, ran into problems..
ok this is the scenario. I have a 2621 router and a 2950 switch
- the switch is connected to Fa0/0
- 5 hosts are connected to this switch (ip-address range 192.168.1.11 to 15, and the switch 1.10)
- fa0/1 has an ip address of 192.168.10.1 and haas one host connected to it (192.168.10.10)
now i want only one host(192.168.1.11) from 192.168.1.0/24 network to connect to 192.168.10.10
this is what i did
access-list 5 deny 192.168.1.11 0.0.0.0
access-list 5 permit 192.168.1.0 0.0.0.255 or access-list 5 permit any
ip access-group 5 in ( this i implemented on fa0/1 interface of the route, so scan inbound ).
Observation:-
- none of the hosts of 192.68.1.0/24 are able to ping 192.168.10.10
- host 192.168.10.10 is not able to ping any of the hosts on 192.168.1.0/24 network
what could b wrong with the above access-list...( i think i am a bit confused ) ???
ok this is the scenario. I have a 2621 router and a 2950 switch
- the switch is connected to Fa0/0
- 5 hosts are connected to this switch (ip-address range 192.168.1.11 to 15, and the switch 1.10)
- fa0/1 has an ip address of 192.168.10.1 and haas one host connected to it (192.168.10.10)
now i want only one host(192.168.1.11) from 192.168.1.0/24 network to connect to 192.168.10.10
this is what i did
access-list 5 deny 192.168.1.11 0.0.0.0
access-list 5 permit 192.168.1.0 0.0.0.255 or access-list 5 permit any
ip access-group 5 in ( this i implemented on fa0/1 interface of the route, so scan inbound ).
Observation:-
- none of the hosts of 192.68.1.0/24 are able to ping 192.168.10.10
- host 192.168.10.10 is not able to ping any of the hosts on 192.168.1.0/24 network
what could b wrong with the above access-list...( i think i am a bit confused ) ???
Comments
-
gojericho0
Member Posts: 1,059 ■■■□□□□□□□
Hi live_wire
Your first statement:
access-list 5 deny 192.168.1.11 0.0.0.0
Is denying the traffic flow you are trying to allow. Also remember there is a explicit deny not seen in the access lists.
If you are placing the access list on Fa0/1 you would also make it outbound since it is leaving the router on its way to the 192.168.10.0/24 network -
jediknight
Member Posts: 113
Your ACL is backwards
. Let's start over.
Host 192.168.10.10 will not be able to ping any hosts because you have your ACL implemented on fa0/1 inbound which would block
all traffic from that host to the 192.168.1.0 network due to the implicit deny. Also when hosts on the 192.168.1.0 network ping 192.168.10.10 the echo request will make it to the host 192.168.10.10, but the echo reply will be blocked due to the ACL preventing all traffic from the 192.168.10.10 (setup an ext ACL to allow ICMP traffic from this host and you can verify this)
Here is what you would want to do with this case:
access-list 5 permit host 192.168.1.11
(unseen implicit deny here, do not type what is in these parenthesis)
then
ip access-group 5 in (apply this on the fa0/0 interface)
Now only the 192.168.1.11 host can send traffic and all other traffic will be denied due to the implicit deny at the end of the ACL. This ACL would only meet the requirements of what you were looking for in your post. -
live_wire
Member Posts: 21 ■□□□□□□□□□
thanx , damn i hav to practice a lot.
I will post wen i get doubts. So please bear with me.