Official Lammle User Forum

Results 1 to 5 of 5
  1. #1

    Default Pinging with Access-List

    First please excuse me from copying from another post but it is the same area I need help. In this setup it reads that the users on the Sales Lan should not have access to the Finance Lan, but they should be able to access the Internet and the marketing department files.

    The Sales Lan is on interface f0/0
    The Finance Lan is on interface 0/1 /24
    The Marketing lan is on f1/0 /24

    The access List reads

    Lab_A#config t
    Lab_A(config)#a ccess-list 10 deny
    Lab_A(config)#a ccess-list 10 permit any

    He goes on to applying it to the f0/1 interface out.

    Lab_A(config)#i nt fa0/1
    Lab_A(config-if)# ip access-group 10 out

    Im using packet tracer and have created the same setup but my problem is from a CPE in the Finance dept it times out to only the Sales dept...I cant ping to the Sales Dept when I put my access-list on that ports as a outbound list???? From the Sales dept I get a destination unreachable as I believe it should and it will ping to the marketing dept. Any clue what Im doing wrong....I followed the commands exact.
    Last edited by cableguy3443; 03-14-2012 at 09:48 PM.

  2. #2
    Join Date
    Jul 2008


    Yes, you shouldn't be able to ping from Finance back into Sales because the ping reaches Sales, but the ping response is dropped on the return trip by the ACL. To permit Finance to access Sales while denying Sales access to Finance, you'd need an extended ACL and more rules.
    Last edited by gabrielshorn; 03-14-2012 at 10:18 PM.

  3. #3


    How can I test it then? makes perfect sense....LMAO I should have got I just need to find a way in that doesnt require a return trip for testing. Thanks again.
    Last edited by cableguy3443; 03-14-2012 at 10:56 PM.

  4. #4
    Join Date
    Jun 2010
    Right here


    Instead of using a Standard ACL, use an Extended ACL and permit ICMP, deny everything else.
    A+, Network+, CCNA
    A spark of encouragement can ignite great endeavors

  5. #5
    Join Date
    Jul 2008


    I'm not sure what you're saying, CableGuy. If you want to just allow Finance to ping Sales, It change the outbound access-list on fa0/1 to an extended that looks something like this:

    access-list 100 permit icmp any echo-reply
    access-list 100 deny ip any

    If the goal is for Finance to have complete access to Sales without Sales having any access to Finance, then I'd put the following INBOUND on the Sales fa0/0 interface:

    access-list 100 permit tcp any any established
    access-list 100 permit icmp any echo-reply
    access-list 100 deny ip any
    access-list 100 permit ip any any

    This isn't perfect, as Finance wouldn't be able to connect to UDP-based services in Sales.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Help with access list?
    By oneyo1984 in forum Access Lists
    Replies: 6
    Last Post: 03-30-2010, 09:50 AM
  2. Access list
    By omomummy82 in forum Access Lists
    Replies: 5
    Last Post: 02-21-2010, 02:14 AM
  3. How to block access for a console port using access list?
    By regithester in forum Access Lists
    Replies: 2
    Last Post: 06-09-2009, 06:02 PM
  4. access-group but no access-list
    By Tigerprawn in forum Access Lists
    Replies: 1
    Last Post: 03-05-2009, 02:49 PM
  5. Help with access-list
    By spdaman in forum Access Lists
    Replies: 2
    Last Post: 08-15-2008, 11:01 AM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts