extended access lists...

liven

Man I feel really retarded right now, but I just can't get my extended access lists to work...


router A and B are connected THROUGH a switch. They are on the same vlan and can ping each other not problem

So I am trying to block router A from pinging router B


So I do this:

access-list 111 deny icmp host ROUTER_A host ROUTER_B
access-list 111 permit ip any any
int eth 0/0
ip access-group 111 out


layout of devices


router_a <-> switch <-> router_b

So after I apply the above access list I can still ping the outher router....

What am I doing wroing? I am going nuts here.

networker050184

What IP address are you using to ping from?

tech-airman

liven wrote:

Man I feel really retarded right now, but I just can't get my extended access lists to work...


router A and B are connected THROUGH a switch. They are on the same vlan and can ping each other not problem

So I am trying to block router A from pinging router B


So I do this:

access-list 111 deny icmp host ROUTER_A host ROUTER_B
access-list 111 permit ip any any
int eth 0/0
ip access-group 111 out


layout of devices


router_a <-> switch <-> router_b

So after I apply the above access list I can still ping the outher router....

What am I doing wroing? I am going nuts here.

liven,

Your first access-list statement is too short. Type it out again, except add a '?' at the end. I hope this helps.

dtlokee

Your problem lies in the fact an outbound access list will not filter traffic that is originated from the router itself. Try creating an ACL on Router B denying ICMP (echo) from Router a to router B

HTH

liven

Thakns to all that replied.

Well I have been able to get standard access lists to work, it is just the extended access lists that are bugging me.

I will try placing it on a different router and see if that helps.

I was under the impression that extened access lists should be placed as close to the source as possible. Which is why I placed it on the router that was generating the traffic, how can I get anyh closer than that?

Also, would it have worked if I had use and inbound access list?

liven

networker050184 wrote:

What IP address are you using to ping from?

The ip of the interface the access list is applied to

Chris Knight

tech-airman wrote:

liven wrote:

Man I feel really retarded right now, but I just can't get my extended access lists to work...


router A and B are connected THROUGH a switch. They are on the same vlan and can ping each other not problem

So I am trying to block router A from pinging router B


So I do this:

access-list 111 deny icmp host ROUTER_A host ROUTER_B
access-list 111 permit ip any any
int eth 0/0
ip access-group 111 out


layout of devices


router_a <-> switch <-> router_b

So after I apply the above access list I can still ping the outher router....

What am I doing wroing? I am going nuts here.

liven,

Your first access-list statement is too short. Type it out again, except add a '?' at the end. I hope this helps.

Liven, since your creating an extended you are correct place it as close to the source as possible. Outbound is correct as well
You need to specify "echo" on your access-list
access-list 111 deny icmp host ROUTER_A host ROUTER_B "echo"
ip access-list 111 permit ip any any
int eth 0/0
ip access-group 111 out

dtlokee

Chris Knight wrote:

tech-airman wrote:

liven wrote:

Man I feel really retarded right now, but I just can't get my extended access lists to work...


router A and B are connected THROUGH a switch. They are on the same vlan and can ping each other not problem

So I am trying to block router A from pinging router B


So I do this:

access-list 111 deny icmp host ROUTER_A host ROUTER_B
access-list 111 permit ip any any
int eth 0/0
ip access-group 111 out


layout of devices


router_a <-> switch <-> router_b

So after I apply the above access list I can still ping the outher router....

What am I doing wroing? I am going nuts here.

liven,

Your first access-list statement is too short. Type it out again, except add a '?' at the end. I hope this helps.

Liven, since your creating an extended you are correct place it as close to the source as possible. Outbound is correct as well
You need to specify "echo" on your access-list
access-list 111 deny icmp host ROUTER_A host ROUTER_B "echo"
ip access-list 111 permit ip any any
int eth 0/0
ip access-group 111 out

When you deny ICMP without a particular icmp type at the end it will deny all ICMP packets including echo, althought this would be more specific than all of ICMP, his ACL will work without it.

liven

dtlokee wrote:

Chris Knight wrote:

tech-airman wrote:

liven wrote:

Man I feel really retarded right now, but I just can't get my extended access lists to work...


router A and B are connected THROUGH a switch. They are on the same vlan and can ping each other not problem

So I am trying to block router A from pinging router B


So I do this:

access-list 111 deny icmp host ROUTER_A host ROUTER_B
access-list 111 permit ip any any
int eth 0/0
ip access-group 111 out


layout of devices


router_a <-> switch <-> router_b

So after I apply the above access list I can still ping the outher router....

What am I doing wroing? I am going nuts here.

liven,

Your first access-list statement is too short. Type it out again, except add a '?' at the end. I hope this helps.

Liven, since your creating an extended you are correct place it as close to the source as possible. Outbound is correct as well
You need to specify "echo" on your access-list
access-list 111 deny icmp host ROUTER_A host ROUTER_B "echo"
ip access-list 111 permit ip any any
int eth 0/0
ip access-group 111 out

When you deny ICMP without a particular icmp type at the end it will deny all ICMP packets including echo, althought this would be more specific than all of ICMP, his ACL will work without it.

Ok I am a little more confused now. You say my acl will work, but I thought it would not work on the traffic from the router it was on (out bound)...

So will it work inbound?

geezer

The access-list will work in the direction specified in the ip access-group command - outbound in this case.

From what I understand the deny icmp will deny all ICMP messages (source quench etc) not just echo so is a sweeping deny if you like.

tube

I had the same problem that you are having now. When I was sitting in the router - I meant I was in router console mode, I applied the outbound filter and the filter simply did not work.

Firstly, if your question is to block router A from pinging router B.

A ----> B

If you are using standard ACL, then you should place your ACL at router B (close to the destination)

If you are using extended ACL, then you should place your ACL at router A (close to the source)

When you are in router A console mode and trying to ping router B, the outbound ACL that you have applied at router A will simply not work or filter. This is a quote from the book that I read outbound access lists can not filter packets originating from the router.

I use a packet tracer to create a simple network that can filter the outbound traffic. The Network A - 172.16.20.0 cannot ping any hosts on network 172.16.10.0



That is what I know, I could be deadly wrong, someone please correct me!

dtlokee

What I meant was there is nothing wong with the ACL you wrote, adding "echo" isn't going to make any difference. The peroblem still comes down to the fact the router will not test packets that are originated by the router against the outbound ACL. The general rule is to place an extended ACL as close to the sourece as you can, but his should be amended in this case - place the extended ACL as close to the sourece as you can as long as it meets the required result. Placing it on router B is you only option (well there is policy routing the ping packets through a loopback to make it work but a little beyond the CCNA)

liven

Ok everyone,

thank you VERY Much for your replies.

Now, to take it up a level.

I placed extend access lists on Router B, and then tried to ping from router A and it still didn't block....


Grrr...

liven

nevermind I got it working...

man I am an idiot.

Thanks everyone for the help!