Help... ACLs CCNA

Hello you all... I am almost half way through my CCNA certification and I am just about to do my 11th exam so that I can then take my final CCNA2 module exam. I have got a question that it's hunting me.

Here is the scenario;

Network 1 = 192.168.100.0/24 Router1 = 192.168.100.254 255.255.255.0 PC1 = 192.168.100.1 255.255.255.0

Network 2 = 12.0.0.0/8 Router2 = 12.0.0.254 255.0.0.0 PC2 = 12.0.0.1 255.0.0.0 PC3 = 12.0.0.2 255.0.0.0 PC4 = 12.0.0.3 255.0.0.0

In the router 2 in the S0/0 interface I have the following ACLs. access-list 1 deny host 12.0.0.3 access-list 1 permit any

I have applyid it to the interface using the IP access-group 1 out

When I try to ping the pcs 2 and 3 from pc1 I have got no problem. When I try to ping the pc 1 from pc 4 there is no connection as stated in the ACLs so, so far so good, the ACLs is doing what it is supose to do, it's blocking pc 4 from accessing the network 192.168.100.0.

Why doesn't pc 4 replies a ping request when i try to ping it from pc1? I have got no INBOUND access lists in the S0/0 of router2 so shouldn't it respond to the ping request?

To you all out there, thanks for any help as it is duelly appreciated.

Cheers, Arruda, C

Reply to
Arruda, C
Loading thread data ...

Arruda,

PC4 will not reply to PC1. This is working as designed. When PC1 pings PC4, PC1 is sending an ICMP Echo Request to PC4. The ICMP packet is getting there to PC4. You can test this and verify by using packet capture software on PC4. PC4 is trying to reply to PC1 using an ICMP Echo Reply. However, R2 is dropping all outbound traffic from PC4 on it's S0/0 interface. In other words, you only have 1-way communication.

To enable ICMP traffic through, you would have to modify your access-list to allow it. However, you would then have to use an extended ACL as Standard ACLs don't allow you to specify protocol type.

Hope this answers your question.

-Riot

Reply to
Riotact

Hello Riot,

It certainly does answers my question. I did thought that I needed to use an extended ACL to achieve this. I used the following;

Extended IP access list 101 permit icmp any any echo-reply (5 match(es)) permit ip 12.0.0.0 0.0.0.255 any (3 match(es)) deny ip any any (7 match(es))

Now it works fine and using packet tracer it was just as you have said, the pc4 did got the icmp request but couldn't repply to it as router2 was dropping it at port s0/0.

Thanks ever so much. Arruda

Reply to
Arruda, C

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.