Silly question??? Maybe..

I'm taking a CCNA course at a local Vo-Tech and one of my labs, (Virtual), had this in it as the way to configure an access list to deny tcp from a host with a 192.168.10.1 ip address. I configured the ACL as the lab instructed, see below, and was supposed to ping the router from Host B and receive a "Destination net unreachable", instead I received a reply. Below is what I submitted on feedback to the people running the V-lab but have not received a reply, and that was 3 days ago.

When configuring the router to deny tcp, the line says `access-list 111 deny tcp any 192.168.10.1 0.0.0.0 eq 7`. Should it read, ` access-list 111 deny tcp any 192.168.10.0 0.0.0.0 eq 7`? The first instance does not block TCP from Host B as I was able to receive replies from the router when pinging from Host B with this configuration. I changed it to the second instance and recieved the desired results, `Destination net unreachable`. Is this right or wrong.

Any input?

Thanks

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

malcybood

MrfixitRight wrote:

I'm taking a CCNA course at a local Vo-Tech and one of my labs, (Virtual), had this in it as the way to configure an access list to deny tcp from a host with a 192.168.10.1 ip address. I configured the ACL as the lab instructed, see below, and was supposed to ping the router from Host B and receive a "Destination net unreachable", instead I received a reply. Below is what I submitted on feedback to the people running the V-lab but have not received a reply, and that was 3 days ago.

When configuring the router to deny tcp, the line says `access-list 111 deny tcp any 192.168.10.1 0.0.0.0 eq 7`. Should it read, ` access-list 111 deny tcp any 192.168.10.0 0.0.0.0 eq 7`? The first instance does not block TCP from Host B as I was able to receive replies from the router when pinging from Host B with this configuration. I changed it to the second instance and recieved the desired results, `Destination net unreachable`. Is this right or wrong.

Any input?

Thanks

to block a machine from pinging i would use icmp, not TCP and apply it to int fa0 inbound

access-list 101 deny icmp any 192.168.10.1 0.0.0.0 echo
access-list 101 permit ip any any

int fa0/0
ip access-group 101 in

when you do this should get desired results

*****edit***** this is assuming you want to block all hosts on the fa0/0 segment.....

sprkymrk

MrfixitRight wrote:

an access list to deny tcp from a host with a 192.168.10.1 ip address. I configured the ACL as the lab instructed, see below,

`access-list 111 deny tcp any 192.168.10.1 0.0.0.0 eq 7`. Should it read, ` access-list 111 deny tcp any 192.168.10.0 0.0.0.0 eq 7`?

Not sure if you have a typo or if this could be your problem, but you state that you want to block tcp from a host, not to a host. So maybe it should read:

access-list 111 deny tcp 192.168.10.1 0.0.0.0 any eq 7

That way any packets coming from that source host (192.168.10.1) to any destination behind the router would be denied. Your second acl worked because you blocked any from accessing the entire class c subnet. Maybe I'm wrong, but just something that appeared funny to me.

MrfixitRight

sprkymrk wrote:

MrfixitRight wrote:

an access list to deny tcp from a host with a 192.168.10.1 ip address. I configured the ACL as the lab instructed, see below,

`access-list 111 deny tcp any 192.168.10.1 0.0.0.0 eq 7`. Should it read, ` access-list 111 deny tcp any 192.168.10.0 0.0.0.0 eq 7`?

Not sure if you have a typo or if this could be your problem, but you state that you want to block tcp from a host, not to a host. So maybe it should read:

access-list 111 deny tcp 192.168.10.1 0.0.0.0 any eq 7

That way any packets coming from that source host (192.168.10.1) to any destination behind the router would be denied. Your second acl worked because you blocked any from accessing the entire class c subnet. Maybe I'm wrong, but just something that appeared funny to me.

That is the way I configured it to start, "access-list 111 deny tcp any 192.168.10.1 0.0.0.0 eq 7", and I was still able to receive replies from the router. According to the lab, I should not have been able to reach the router from this host IP, but I did. That is what confused me, as they said your response from the router should be "destination net unreachable". I understand that it should work, but it didn't in the lab, unless the lab is messed up. Maybe I was unclear in my first post, sorry. Thanks for the feedback.

to block a machine from pinging i would use icmp, not TCP and apply it to int fa0 inbound

access-list 101 deny icmp any 192.168.10.1 0.0.0.0 echo
access-list 101 permit ip any any

int fa0/0
ip access-group 101 in

when you do this should get desired results

*****edit***** this is assuming you want to block all hosts on the fa0/0 segment.....

malcybood, the lab was not dealing with ICMP, just TCP. ICMP uses messages, not ports. TCP extended ACL's allow you to enter source and destination ports, ICMP lets you enter messages, i.e. "unreachable". This would not fit the lab I was doing. I suppose it was attempting to block a telnet session from the host to the router. But thanks for the input.

sprkymrk

Okay, I guess I don't understand your question then - but if you want to block packets from someone, that is your source. An ACL uses:

access-list name/# action protocol source destination port

So if you want to block packets from the host 192.168.10.1, then that should be listed as the source, not destination. If you wanted to block packets to 192.168.10.1, then it should be listed as you had it in your ACL, the destination.

As regarding malc's comment, we are wondering why you have the eq 7. If you wanted to block telnet only, you should have 23. But seriously, it's not often I use my CCNA stuff so maybe the old noggin is not recalling my ACLs properly. I'm sure Mike, Ed or one of the other Cisco experts will chime in and set us all straight.

MrfixitRight

sprkymrk wrote:

Okay, I guess I don't understand your question then - but if you want to block packets from someone, that is your source. An ACL uses:

access-list name/# action protocol source destination port

So if you want to block packets from the host 192.168.10.1, then that should be listed as the source, not destination. If you wanted to block packets to 192.168.10.1, then it should be listed as you had it in your ACL, the destination.

As regarding malc's comment, we are wondering why you have the eq 7. If you wanted to block telnet only, you should have 23. But seriously, it's not often I use my CCNA stuff so maybe the old noggin is not recalling my ACLs properly. I'm sure Mike, Ed or one of the other Cisco experts will chime in and set us all straight.

And then maybe the lab is just screwy.... not the first time I've found conflicts in the labs. Just wish I could get my hands on some REAL equipment!! (Not enough hours in the day for me to work and go to the school and spend SEVERAL hours on the routers!!) It's enough to make the time to get the V-Labs and read the chapters and take on-line practice exams!!!!!!! (Wish I was one of those RICH kids who had Daddy paying the way and doesn't have to WORK for a living! (Naw, I'm not bitter.) As for the lab, I get the gist of it, and have a handle on ACL's, at least for the exam. So I'm not going to sweat the small stuff. I just thought I would run this by the experts to see if this was a mistake or not. And I don't know why they put "eq 7" in the lab.... thanks all (I'll get off my soap box now...)

sprkymrk

No sweat. I always hate to leave something unanswered though, even if it is a screwy lab.

I still think we'll get some good input from an expert by tomorrow. Even if it's not a big deal for you, it will help others that are trying to learn ACL's too.

Thanks for posting!

EdTheLad

You want an access-list to deny tcp echo from host 192.168.10.1

Which would be
access-list 100 deny tcp host 192.168.10.1 any eq echo
access-list 100 permit ip any any

This tcp echo is not a standard ping which falls under icmp, it's used for a telnet echo which is used to troubleshoot tcp stacks.If you try a telnet 192.168.11.1 echo, this should be blocked, to block a regular ping you need icmp.

malcybood

MrfixitRight wrote:

malcybood, the lab was not dealing with ICMP, just TCP. ICMP uses messages, not ports. TCP extended ACL's allow you to enter source and destination ports, ICMP lets you enter messages, i.e. "unreachable". This would not fit the lab I was doing. I suppose it was attempting to block a telnet session from the host to the router. But thanks for the input.

my bad

didn't fully understand the way you worded the initial question

malc