Help... ACLs CCNA

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hello you all...
I am almost half way through my CCNA certification and I am just about to do
my 11th exam so that I can then take my final CCNA2 module exam.
I have got a question that it's hunting me.

Here is the scenario;

Network 1 =
Router1 =
PC1 =

Network 2 =
Router2 =
PC2 =
PC3 =
PC4 =

In the router 2 in the S0/0 interface I have the following ACLs.
access-list 1 deny host
access-list 1 permit any

I have applyid it to the interface using the IP access-group 1 out

When I try to ping the pcs 2 and 3 from pc1 I have got no problem.
When I try to ping the pc 1 from pc 4 there is no connection as stated in
the ACLs so, so far so good, the ACLs is doing what it is supose to do, it's
blocking pc 4 from accessing the network

Why doesn't pc 4 replies a ping request when i try to ping it from pc1? I
have got no INBOUND access lists in the S0/0 of router2 so shouldn't it
respond to the ping request?

To you all out there, thanks for any help as it is duelly appreciated.

Arruda, C

Re: Help... ACLs CCNA
Arruda, C wrote:
Quoted text here. Click to load it


PC4 will not reply to PC1. This is working as designed. When PC1 pings
PC4, PC1 is sending an ICMP Echo Request to PC4. The ICMP packet is
getting there to PC4. You can test this and verify by using packet
capture software on PC4. PC4 is trying to reply to PC1 using an ICMP
Echo Reply. However, R2 is dropping all outbound traffic from PC4 on
it's S0/0 interface. In other words, you only have 1-way communication.

To enable ICMP traffic through, you would have to modify your
access-list to allow it. However, you would then have to use an extended
  ACL as Standard ACLs don't allow you to specify protocol type.

Hope this answers your question.


Re: Help... ACLs CCNA
Quoted text here. Click to load it

Hello Riot,

It certainly does answers my question. I did thought that I needed to use an
extended ACL to achieve this. I used the following;

Extended IP access list 101
    permit icmp any any echo-reply (5 match(es))
    permit ip any (3 match(es))
    deny ip any any (7 match(es))

Now it works fine and using packet tracer it was just as you have said, the
pc4 did got the icmp request but couldn't repply to it as router2 was
dropping it at port s0/0.

Thanks ever so much.

Site Timeline