Options
CCNA Virtual Lab and Access Lists
jezg76
Member Posts: 97 ■■□□□□□□□□
in CCNA & CCENT
I am just now diving into ACL and decided to venture into CCNAVL to see if I got the basics. I thought I got it, but this sim is making me wonder wtf.
I simply want to block anything from the 172.16.10.0 network from accessing the 172.16.30.0 network. Basic stuff, I know, but bear with me.
I create the following ACL:
access-list 10 deny 172.16.10.0 0.0.0.255
access-list 10 permit any
I then add this to the FA0/0 of Router_B:
ip access-group 10 out
This does do what it is supposed to. I cannot ping Host B (172.16.30.100) from Host A (172.16.10.100), but something else is going on...
I now can't ping Host A from B. I did verify the sim actually let me do that with no ACL applied to an interface. If the ACL is on the OUT of Router B's FA0/0, then it should not affect the .30 network getting out correct? Host B can ping up to 172.16.10.1, but that is it.
For the love of god please tell me this sim is retarded and not me.
Thanks in advance.
policy-map type inspect TACO
class type inspect BELL
drop log
class type inspect BELL
drop log
Comments
-
OptionsNetstudent
Member Posts: 1,693 ■■■□□□□□□□
you are blocking the echo reply.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
-
Optionsjezg76
Member Posts: 97 ■■□□□□□□□□
Oh my. So much to learn...
Thank you much.policy-map type inspect TACO
class type inspect BELL
drop log -
Optionsjediknight
Member Posts: 113
jezg76 wrote:
I am just now diving into ACL and decided to venture into CCNAVL to see if I got the basics. I thought I got it, but this sim is making me wonder wtf.
I simply want to block anything from the 172.16.10.0 network from accessing the 172.16.30.0 network. Basic stuff, I know, but bear with me.
I create the following ACL:
access-list 10 deny 172.16.10.0 0.0.0.255
access-list 10 permit any
I then add this to the FA0/0 of Router_B:
ip access-group 10 out
This does do what it is supposed to. I cannot ping Host B (172.16.30.100) from Host A (172.16.10.100), but something else is going on...
I now can't ping Host A from B. I did verify the sim actually let me do that with no ACL applied to an interface. If the ACL is on the OUT of Router B's FA0/0, then it should not affect the .30 network getting out correct? Host B can ping up to 172.16.10.1, but that is it.
For the love of god please tell me this sim is retarded and not me.
Thanks in advance.
This is a common troubleshooting problem when you are first learning ACL's, trust me I know
You ACL is correct as far as wanting to block traffic to the 172.16.30.0 network. As Netstudent said, the reason you are not able to ping host A from Host B is because the echo request is getting to host A, but the echo reply is not able to make it back because the Source address is changed to Host A's address which is on the 172.16.10.0 network which traffic will be discarded once it reaches Router B and is processed by the ACL. If you wanted to allow ICMP traffic, you would need an extended ACL as Netstudent mentioned.
Also here is something else. Router's cannot filter traffic that it originates itself, meaning ACL's will not filter traffic generated by the router. -
Optionsjezg76
Member Posts: 97 ■■□□□□□□□□
Thanks jedi. After both of you telling me what was wrong, it makes so much sense now.
I again thank you both for your assistance.policy-map type inspect TACO
class type inspect BELL
drop log