Getting frustrated with ACL's

longhorn79

Hey fellas,
I have been working on this lab and I feel that ACL is kicking my butt. In this lab I have to deny certain LAN's and permit a few.
Here is a copy of my lab and the a few certain criteria:
All traffic from Lan 2, Lan 3, Lan 4 must be blocked from accessing Lan 5 using an Access Control List (ACL).
Lan 1 will have access to Land 5.
Deny access from Lan 3 and Lan 4 to Lan 1 and Lan2.
All Lans should have access to the Internet Server.
Now I setup everything to the best of my knowledge but it seems that something is fishy.
For example in my lab i have student hosts that have to be denied to the staff networks. I have been able to achieve that but once I do that the staff networks can't access their networks. This where I am scratching my head.

Any help would be nice and appreciated

ACL Lab.pkt - 4shared.com - online file sharing and storage

Ltat42a

Looking at your topology now, what are the console, telnet, & enable passwords?

longhorn79

Pass: cisco
Enable: class

Ltat42a

Thanx. Check your IP's between Accounting & Master, they're both set to 192.168.0.162/30.
I changed Master to 192.168.0.161

longhorn79

Thanks I fixed that error

Ltat42a

On the Accounting router, list your "permit" statements first.

longhorn79

User Access Verification


Password:


Accounting>ena
Password:
Accounting#show access-list
Standard IP access list 1
permit host 10.10.10.2
permit host 192.168.0.30
Accounting#

I went ahead and removed the deny thinking that the implicit deny would clear any problems

spd3432

longhorn79,

I loaded your file. Fixed the IP on the interface on Master.
I removed your existing ACLs -- your note said you needed to block the "LAN" not the single host (you have room to add 29 more hosts to each LAN segment).
I then attempted ping from the "internet" to each of the PCs. This was successful.
Pinging from the PCs to the "internet" mostly got destination host unreachable until I added default static routes on 2 of the 3 lan routers using the connection on "master" as the default connection (ex. ip route 0.0.0.0 0.0.0.0 192.168.0.165). I think only "staff" had a default route.
I then went back to your requirements you listed above and wrote it down --
LAN5 -- block all traffic from LANs 2, 3, and 4
LAN1 -- block all traffic from LANs 3 and 4
LAN2 -- block all traffic from LANs 3 and 4
All other traffic is permitted.

Wrote ACLs to conform to those requirements and placed them on the outbound interfaces for the LAN segments where traffic is being denied into.
Did a show run on "staff". These are part of the configuration shown:
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.224
ip access-group 50 out
duplex auto
speed auto

access-list 50 remark Blocks access to LAN 1 from LANS 3 and 4
access-list 50 deny 192.168.0.64 0.0.0.31
access-list 50 deny 192.168.0.96 0.0.0.31
access-list 50 permit any

I'll leave you to figure out the remaining ACLs (and for everyone else to pick apart my solution ). However, LAN1 can ping LAN5, LAN3 can ping LAN4, all PCs can ping the internet, and traffic is blocked where you stated in your requirements.

longhorn79

Thanks for all the help. I was able to get the ACL going, but I think packet tracer is a bit limited. Once i put in a deny for a network I'm not able to ping that host with a host that has permissions. Example the host Administrator can't ping LAN 3 or LAN 4 after I apply the ACL to deny those LANS on the router staff. its not part of the criteria but I would have thought it would be possible.

Once again thanks for all your help

spd3432

Ok. So you want to be able to get ping replies. Not sure you can do that with standard ACLs. However, extended ACLs will do the job.
I removed the existing ACLs from the interfaces but left the ACLs intact in case I decide to use them later.
The book says you should normally place extended ACLs as close to source as possible.

I logged in to "Students" and created the following:

access-list 120 remark Block traffic from LAN4 into LANs 1, 2, and 5 except echo-reply
access-list 120 permit icmp any any echo-reply
access-list 120 deny ip 192.168.0.96 0.0.0.31 192.168.0.0 0.0.0.31
access-list 120 deny ip 192.168.0.96 0.0.0.31 192.168.0.32 0.0.0.31
access-list 120 deny ip 192.168.0.96 0.0.0.31 192.168.0.128 0.0.0.31
access-list 120 permit ip any any

Applied it to the inbound interface for LAN 4 (int f0/0 -- ip access-group 120 in)

I can ping from "Administrators" to "First Year".
IP Address......................: 192.168.0.30
Subnet Mask.....................: 255.255.255.224
Default Gateway.................: 192.168.0.1

PC>ping -n 1 192.168.0.126
Pinging 192.168.0.126 with 32 bytes of data:
Reply from 192.168.0.126: bytes=32 time=125ms TTL=126

From "First Year" I can ping "Internet" but cannot ping "Administrator"

PC>ipconfig
IP Address......................: 192.168.0.126
Subnet Mask.....................: 255.255.255.224
Default Gateway.................: 192.168.0.97

PC>ping -n 1 10.10.10.2
Pinging 10.10.10.2 with 32 bytes of data:
Reply from 10.10.10.2: bytes=32 time=124ms TTL=126

Ping statistics for 10.10.10.2:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 124ms, Maximum = 124ms, Average = 124ms

PC>ping -n 1 192.168.0.30
Pinging 192.168.0.30 with 32 bytes of data:
Reply from 192.168.0.97: Destination host unreachable.
Ping statistics for 192.168.0.30:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

You'd need to create the other ACLs and place them where appropriate. As always, I welcome more experienced folks than I to pick this apart.

longhorn79

WOW, all I have to say you have gone above and beyond helping me out. I was was looking at extended ACL's, but I thought it was bit overwhelming. You definitely have made this a bit clear. Can't wait to look at this at home after my crueling 12 hour shift.

Thanks Again