CCNA Video Training Series

Instant Access, Web or Mobile!

Only $99 for 30 days...
Renew at half price!

Buy/Renew

Includes FREE Practice Exams!

Member Login

Lost your password?

Not a member yet? Sign Up!

Official Lammle User Forum

Results 1 to 5 of 5
  1. #1
    Join Date
    Feb 2012
    Posts
    79

    Default Pinging with Access-List

    First please excuse me from copying from another post but it is the same area I need help. In this setup it reads that the users on the Sales Lan should not have access to the Finance Lan, but they should be able to access the Internet and the marketing department files.

    The Sales Lan is on interface f0/0 172.16.40.0/24
    The Finance Lan is on interface 0/1 172.16.50.0 /24
    The Marketing lan is on f1/0 172.16.60.0 /24

    The access List reads

    Lab_A#config t
    Lab_A(config)#a ccess-list 10 deny 172.16.40.0 0.0.0.255
    Lab_A(config)#a ccess-list 10 permit any

    He goes on to applying it to the f0/1 interface out.

    Lab_A(config)#i nt fa0/1
    Lab_A(config-if)# ip access-group 10 out

    Im using packet tracer and have created the same setup but my problem is from a CPE in the Finance dept it times out to only the Sales dept...I cant ping to the Sales Dept when I put my access-list on that ports as a outbound list???? From the Sales dept I get a destination unreachable as I believe it should and it will ping to the marketing dept. Any clue what Im doing wrong....I followed the commands exact.
    Last edited by cableguy3443; 03-14-2012 at 09:48 PM.

  2. #2
    Join Date
    Jul 2008
    Posts
    211

    Default

    Yes, you shouldn't be able to ping from Finance back into Sales because the ping reaches Sales, but the ping response is dropped on the return trip by the ACL. To permit Finance to access Sales while denying Sales access to Finance, you'd need an extended ACL and more rules.
    Last edited by gabrielshorn; 03-14-2012 at 10:18 PM.

  3. #3
    Join Date
    Feb 2012
    Posts
    79

    Default

    How can I test it then? makes perfect sense....LMAO I should have got that....now I just need to find a way in that doesnt require a return trip for testing. Thanks again.
    Last edited by cableguy3443; 03-14-2012 at 10:56 PM.

  4. #4
    Join Date
    Jun 2010
    Location
    Right here
    Posts
    456

    Default

    Instead of using a Standard ACL, use an Extended ACL and permit ICMP, deny everything else.
    A+, Network+, CCNA, CCNP/Data Center wannabe
    A spark of encouragement can ignite great endeavors

  5. #5
    Join Date
    Jul 2008
    Posts
    211

    Default

    I'm not sure what you're saying, CableGuy. If you want to just allow Finance to ping Sales, It change the outbound access-list on fa0/1 to an extended that looks something like this:

    access-list 100 permit icmp 192.168.40.0 0.0.0.255 any echo-reply
    access-list 100 deny ip 192.168.40.0 0.0.0.255 any

    If the goal is for Finance to have complete access to Sales without Sales having any access to Finance, then I'd put the following INBOUND on the Sales fa0/0 interface:

    access-list 100 permit tcp any any established
    access-list 100 permit icmp any 192.168.50.0 0.0.0.255 echo-reply
    access-list 100 deny ip any 192.168.50.0 0.0.0.255
    access-list 100 permit ip any any

    This isn't perfect, as Finance wouldn't be able to connect to UDP-based services in Sales.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Help with access list?
    By oneyo1984 in forum Access Lists
    Replies: 6
    Last Post: 03-30-2010, 09:50 AM
  2. Access list
    By omomummy82 in forum Access Lists
    Replies: 5
    Last Post: 02-21-2010, 01:14 AM
  3. How to block access for a console port using access list?
    By regithester in forum Access Lists
    Replies: 2
    Last Post: 06-09-2009, 06:02 PM
  4. access-group but no access-list
    By Tigerprawn in forum Access Lists
    Replies: 1
    Last Post: 03-05-2009, 01:49 PM
  5. Help with access-list
    By spdaman in forum Access Lists
    Replies: 2
    Last Post: 08-15-2008, 11:01 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •