ACL Question

brewoz40brewoz40 Posts: 57Member ■■□□□□□□□□
I'm using packet tracer and I configured a very basic standard acl as follows:
deny host 192.168.20.20
permit any
It's applied on the s0/0 int incoming. Now the question i have is that the lan attached to this router on fa0/1 (R3), 192.168.3.0 /24, has a PC with the IP 192.168.3.50. Now, the acl does what it's suppose to and blocks the host with the 192.168.20.20 from coming in, but i noticed that now the computer on the .3.0 /24 network can't reach that computer either with this acl in place. Is this a packet tracer thing or is this correct? From my understanding, this acl only inspects incoming packets, not out going, there for it should not deny the host on the .3 network from pinging the 192.168.20.20 computer, the acl should only deny the .20.20 host from accessing the .3 network coming in. Am I missing something? Hope this makes sense!

Comments

  • notgoing2failnotgoing2fail Posts: 1,138Member
    Run debugs on both hosts.

    What's probably happening is that you are indeed pinging that address but that host is unable to respond back due to the ACL.

    So the pings are getting there. (echo request)

    But the replies (echo reply) are not....
  • fly351fly351 Posts: 360Member
    Sounds like notgoing2fail nailed it. Replies are also checked against the ACL, which is another reason why standard ACL's fail :)

    Try the "simulation mode" on packet tracer, you will be able to see the packet's path through the network and where it is failing.
    CCNP :study:
  • brewoz40brewoz40 Posts: 57Member ■■□□□□□□□□
    Right on!! Didn't even think about the reply coming back and then getting denied by the ACL. Thanks for the info and help! i ran the network simulation and the ping made it to the host but the reply was then blocked at the s0/1 int. Appreciate the knowledge!!!
  • alan2308alan2308 Senior Member Ann Arbor, MIPosts: 1,854Member ■■■■■■■■□□
    brewoz40 wrote: »
    Right on!! Didn't even think about the reply coming back and then getting denied by the ACL. Thanks for the info and help! i ran the network simulation and the ping made it to the host but the reply was then blocked at the s0/1 int. Appreciate the knowledge!!!

    The old ping getting there but not getting back bit will come back to haunt you in hundreds of different situations besides ACL's (missing default gateways come to mind immediately). This is definitely something that you want to have sink in quickly. icon_mrgreen.gif
Sign In or Register to comment.