ACL help

Magic Johnson

Yes, I am stuck again. With ACLs this time. I am just experimenting to try and get my head around ins, outs, closest to source, subnets etc

I want PC1 (172.16.5.100) on R1 to not be able to receive packets from PC4 (172.16.25.100) on R4.

I put an access-list 1 deny 172.16.25.100 0.0.0.0 on R1.

I then placed that on R1's FA0/0 (connected to SW1 > PC1) ip access-group 1 out (this would go to forward the packet to PC1 but then apply the ACL and match the source IP and discard the packet? (I realise this packet will traverse the network before being dropped, not best practice)

So why when I ping 172.16.5.100 (PC1) from 172.16.25.100 (PC4) does it still work?



EDIT: Right I changed the interface from the fa0/0 connected to the PC to the S0/1 connected to an intermediary router. And made it IN as it is incoming to that S0/1 and OUT of fa0/0.

This blocked the packets from PC4 (yay) BUT now I can't ping PC4 from PC1 (the other direction). Why is it matching the ACL when the source of PC1 isn't specified? I also have a permit any just behind the deny rule.

And why didn't the ACL on fa0/0 work?

EdTheLad

It's blocking the return ping traffic, the return ping traffic has a destination ip 172.16.5.100.
Why don't you make an extended access-list that first allows icmp and then blocks ip, then the ping will work.

Magic Johnson

Oh wow. That's...actually fairly obvious now you've said that. Deary me.

I'm not at extended yet, that's the next chapter I was just labbing this one to make sure I understood before moving on. So I do understand it but just forgot how a ping works. /facepalm

vishaw1986

u can achieve the same with CBAC