ACL Question

I'm using packet tracer and I configured a very basic standard acl as follows:
deny host 192.168.20.20
permit any
It's applied on the s0/0 int incoming. Now the question i have is that the lan attached to this router on fa0/1 (R3), 192.168.3.0 /24, has a PC with the IP 192.168.3.50. Now, the acl does what it's suppose to and blocks the host with the 192.168.20.20 from coming in, but i noticed that now the computer on the .3.0 /24 network can't reach that computer either with this acl in place. Is this a packet tracer thing or is this correct? From my understanding, this acl only inspects incoming packets, not out going, there for it should not deny the host on the .3 network from pinging the 192.168.20.20 computer, the acl should only deny the .20.20 host from accessing the .3 network coming in. Am I missing something? Hope this makes sense!

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

notgoing2fail

Run debugs on both hosts.

What's probably happening is that you are indeed pinging that address but that host is unable to respond back due to the ACL.

So the pings are getting there. (echo request)

But the replies (echo reply) are not....

fly351

Sounds like notgoing2fail nailed it. Replies are also checked against the ACL, which is another reason why standard ACL's fail

Try the "simulation mode" on packet tracer, you will be able to see the packet's path through the network and where it is failing.

brewoz40

Right on!! Didn't even think about the reply coming back and then getting denied by the ACL. Thanks for the info and help! i ran the network simulation and the ping made it to the host but the reply was then blocked at the s0/1 int. Appreciate the knowledge!!!

alan2308

brewoz40 wrote: »

Right on!! Didn't even think about the reply coming back and then getting denied by the ACL. Thanks for the info and help! i ran the network simulation and the ping made it to the host but the reply was then blocked at the s0/1 int. Appreciate the knowledge!!!

The old ping getting there but not getting back bit will come back to haunt you in hundreds of different situations besides ACL's (missing default gateways come to mind immediately). This is definitely something that you want to have sink in quickly.