ACL Issues
worldmac1
Member Posts: 121 ■■■□□□□□□□
in CCNA & CCENT
Hi All,
I've been hitting the books pretty hard here lately, (Odom, Lammle and Jeremy from CBT)and I was trying to test my knowledge on ACLs and NAT. It seems everything I do is wrong. I am using Packet tracer 5.1 and was wondering if anyone else has had problems testing out ACLs in it.
I have my *.pkt file saved if somone would like to look at it..I bought the Lammle Fast Pass book and I am testing out figure 7.1 on page 326. Shoot me your email, and I will send it to you.
Thanks for your help!
I've been hitting the books pretty hard here lately, (Odom, Lammle and Jeremy from CBT)and I was trying to test my knowledge on ACLs and NAT. It seems everything I do is wrong. I am using Packet tracer 5.1 and was wondering if anyone else has had problems testing out ACLs in it.
I have my *.pkt file saved if somone would like to look at it..I bought the Lammle Fast Pass book and I am testing out figure 7.1 on page 326. Shoot me your email, and I will send it to you.
Thanks for your help!
Certs in Progress:
CCNP:Routing 300-101 15%
OIIIIIIIO
CCNP:Routing 300-101 15%
OIIIIIIIO
Comments
-
worldmac1
Member Posts: 121 ■■■□□□□□□□
Here is the commands I have used. See below:
Lab_A(Config)#Access-List 10 deny 172.16.40.0 0.0.0.255
Lab_A(Config)#Access-List 10 permit any
Lab_A(Config)#int fa 0/1
Lab_A(Config-if)#ip access-group 10 out
I have attached a photo of the topology
I am still able to ping all network connections after making the ACL lists above. I'm not sure as to why all pcs can ping one another when the ACL says to deny. I guess I'm reading something wrong or the Packet Tracer program is fouled up. I have my PKT file if someone wants to check out the configuration.Certs in Progress:
CCNP:Routing 300-101 15%
OIIIIIIIO -
luke_bibby
Member Posts: 162
Which interface is Lab_A's fa0/1 interface in the diagram?
If fa0/1 is in the 172.. network, then it makes sense that hosts in the 192.. and 10.. networks should be able to ping the 172.. network because the ACL is denying all traffic with a source address in with 172.16.40.0/24
Conversely, if fa0/1 is in the 10.. or 192.. networks, and ur pinging from the router to any of the PCs not in the 172.. network, then the source address will be that of the outgoing interface and NOT the interface in the 172.. network.
Hope that helped some. -
tech-airman
Member Posts: 953
Hi All,
I've been hitting the books pretty hard here lately, (Odom, Lammle and Jeremy from CBT)and I was trying to test my knowledge on ACLs and NAT. It seems everything I do is wrong. I am using Packet tracer 5.1 and was wondering if anyone else has had problems testing out ACLs in it.
I have my *.pkt file saved if somone would like to look at it..I bought the Lammle Fast Pass book and I am testing out figure 7.1 on page 326. Shoot me your email, and I will send it to you.
Thanks for your help!
worldmac1,
What is the goal of the ACL?- Allow everyone, except?
- Block everyone, except?
-
mikej412
Member Posts: 10,086 ■■■■■■■■■■
I'm assuming that FA0/1 is that 172.16.40.254 interface....I am still able to ping all network connections after making the ACL lists above
Traffic sourced from PC Finance at 172.16.40.1 is going IN the 172.16.40.254 interface
Any traffic (and icmp echo-reply) sourced elsewhere to the 172.16.40.0 network goes OUT that 172.16.40.254 interface.:mike: Cisco Certifications -- Collect the Entire Set! -
kryolla
Member Posts: 785
also traffic generated by the router is not subjective to the outbound acl. Transit traffic leaving that interface sourced from network 172.16.40.x should be denyStudying for CCIE and drinking Home Brew