ACL Issues

worldmac1worldmac1 Posts: 121Member ■■□□□□□□□□
Hi All,

I've been hitting the books pretty hard here lately, (Odom, Lammle and Jeremy from CBT)and I was trying to test my knowledge on ACLs and NAT. It seems everything I do is wrong. I am using Packet tracer 5.1 and was wondering if anyone else has had problems testing out ACLs in it.

I have my *.pkt file saved if somone would like to look at it..I bought the Lammle Fast Pass book and I am testing out figure 7.1 on page 326. Shoot me your email, and I will send it to you.

Thanks for your help!
Certs in Progress:

CCNP:Routing 300-101 15%
OIIIIIIIO

Comments

  • worldmac1worldmac1 Posts: 121Member ■■□□□□□□□□
    Here is the commands I have used. See below:

    Lab_A(Config)#Access-List 10 deny 172.16.40.0 0.0.0.255
    Lab_A(Config)#Access-List 10 permit any

    Lab_A(Config)#int fa 0/1
    Lab_A(Config-if)#ip access-group 10 out

    I have attached a photo of the topology

    I am still able to ping all network connections after making the ACL lists above. I'm not sure as to why all pcs can ping one another when the ACL says to deny. I guess I'm reading something wrong or the Packet Tracer program is fouled up. I have my PKT file if someone wants to check out the configuration.
    acl.JPG 16.1K
    Certs in Progress:

    CCNP:Routing 300-101 15%
    OIIIIIIIO
  • luke_bibbyluke_bibby Posts: 162Member
    Which interface is Lab_A's fa0/1 interface in the diagram?

    If fa0/1 is in the 172.. network, then it makes sense that hosts in the 192.. and 10.. networks should be able to ping the 172.. network because the ACL is denying all traffic with a source address in with 172.16.40.0/24

    Conversely, if fa0/1 is in the 10.. or 192.. networks, and ur pinging from the router to any of the PCs not in the 172.. network, then the source address will be that of the outgoing interface and NOT the interface in the 172.. network.

    Hope that helped some.
  • tech-airmantech-airman Posts: 953Member
    worldmac1 wrote: »
    Hi All,

    I've been hitting the books pretty hard here lately, (Odom, Lammle and Jeremy from CBT)and I was trying to test my knowledge on ACLs and NAT. It seems everything I do is wrong. I am using Packet tracer 5.1 and was wondering if anyone else has had problems testing out ACLs in it.

    I have my *.pkt file saved if somone would like to look at it..I bought the Lammle Fast Pass book and I am testing out figure 7.1 on page 326. Shoot me your email, and I will send it to you.

    Thanks for your help!

    worldmac1,

    What is the goal of the ACL?
    1. Allow everyone, except?
    2. Block everyone, except?
  • mikej412mikej412 Posts: 10,090Member
    worldmac1 wrote: »
    I am still able to ping all network connections after making the ACL lists above
    I'm assuming that FA0/1 is that 172.16.40.254 interface....

    Traffic sourced from PC Finance at 172.16.40.1 is going IN the 172.16.40.254 interface

    Any traffic (and icmp echo-reply) sourced elsewhere to the 172.16.40.0 network goes OUT that 172.16.40.254 interface.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • kryollakryolla Posts: 785Member
    also traffic generated by the router is not subjective to the outbound acl. Transit traffic leaving that interface sourced from network 172.16.40.x should be deny
    Studying for CCIE and drinking Home Brew
Sign In or Register to comment.