Ext access list issue
brewoz40
Member Posts: 57 ■■□□□□□□□□
in CCNA & CCENT
I'm practicing setting up ext access list and its not working. I don't think the syntax in incorrect but heres the senario:
Router 4, fa0/0 10.10.8.0 /22, s0/0 10.10.52.20 /30, s0/1 10.10.52.4 /30, s1/2 10.10.52.8 /30.
I'm trying to deny access from a specific pc which resides on the lan subnet off of fa0/0, the specific ip address of the pc is 10.10.8.10, I'm trying to deny it access to the wan link off s0/0, which is configured with the ip 10.10.52.21, here is what i put for the commands:
access-list 150 deny ip host 10.10.8.10 10.10.52.21 0.0.0.0
access-list 150 permit ip any any
int fa0/0
ip access-group 150 in
Not sure why it wouldn't work using this above. I understand with ext. access list, you want to apply it as closey as possible to the source, that's why I applied it to the fa0/0 int that the pc resides on. When the router receives the packet and checks the access list, it should be denide access to the wan link and not be forward, correct? I've got it to work in a sense that i can get to not reach the far end of the link:
access-list 150 deny ip host 10.10.8.10 10.10.52.22 0.0.0.0
access-list 150 permit ip any any
int s0/1/0
ip access-group 150 out
Any help i greatly appreciate it.
Router 4, fa0/0 10.10.8.0 /22, s0/0 10.10.52.20 /30, s0/1 10.10.52.4 /30, s1/2 10.10.52.8 /30.
I'm trying to deny access from a specific pc which resides on the lan subnet off of fa0/0, the specific ip address of the pc is 10.10.8.10, I'm trying to deny it access to the wan link off s0/0, which is configured with the ip 10.10.52.21, here is what i put for the commands:
access-list 150 deny ip host 10.10.8.10 10.10.52.21 0.0.0.0
access-list 150 permit ip any any
int fa0/0
ip access-group 150 in
Not sure why it wouldn't work using this above. I understand with ext. access list, you want to apply it as closey as possible to the source, that's why I applied it to the fa0/0 int that the pc resides on. When the router receives the packet and checks the access list, it should be denide access to the wan link and not be forward, correct? I've got it to work in a sense that i can get to not reach the far end of the link:
access-list 150 deny ip host 10.10.8.10 10.10.52.22 0.0.0.0
access-list 150 permit ip any any
int s0/1/0
ip access-group 150 out
Any help i greatly appreciate it.
Comments
-
hexem Member Posts: 177Are you using a simulator?
There's nothing wrong with the syntax, and yes acl's are checked before the packet get's sent to an outbound interface.ICND1 - Passed 25/01/10
ICND2 - Passed 9/03/10
Studying CCNA:S -
kalebksp Member Posts: 1,033 ■■■■■□□□□□How are you testing the whether the acl is working?
Is 10.10.52.21 the ip address of s0/0? If so, that acl only deny's traffic from your host to that IP address, not the entire link. If you wanted to deny it from accessing any device on the link you would use "access-list 150 deny ip host 10.10.8.10 10.10.52.20 0.0.0.3", though traffic could still traverse the link. -
brewoz40 Member Posts: 57 ■■□□□□□□□□Thanks!!! That worked! I didn't even think about using that wild card mask for some reason, makes sense, that blocks it from that entire subnet, not just the IP. Thanks for the help!!