Access List HELP needed big time...

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hello everybody.
Just left the classroom and we are all clueless as to what to do here in this cenarion.
Here's what we have.

3 Networks
ADMIN = 192.168.0.32/27 - Default Gateway = 192.168.0.62/27
FINANCE = 192.168.0.64/27 - Default Gateway = 192.168.0.94/27
SALES = 192.168.0.96/27 - Default Gateway = 192.168.0.126/27

We want ADMIN to access with SALES and Vice Versa, but they can't access FINANCE.

I we block all inbound traffic on the routers interface that FINANCE is connect to it work but then we get no response to the ping requests from the FINANCE to the other networks.
If we then permit the ICMP on an access list we are allowing outside traffic to the FINANCE which we don't want.

How can this be done?
How can we allow ICMP to go through but only if traffic was originated on the FINANCE network?

This is what I have in my router here at home on packet tracer;

Router#sh run
Building configuration...

Current configuration : 975 bytes
!
version 12.2
no service password-encryption
!
hostname Router
!
!
!
!
!
ip ssh version 1
!
!
interface FastEthernet0/0
ip address 192.168.0.62 255.255.255.224
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.0.94 255.255.255.224
ip access-group 1 out
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 192.168.0.126 255.255.255.224
duplex auto
speed auto
!
ip classless
ip route 192.168.0.64 255.255.255.224 FastEthernet1/0
ip route 192.168.0.32 255.255.255.224 FastEthernet0/0
ip route 192.168.0.96 255.255.255.224 FastEthernet2/0
!
!
access-list 1 permit 192.168.0.32 0.0.0.31
access-list 1 permit 192.168.0.96 0.0.0.31
!
!
ip dhcp pool ADMIN
network 192.168.0.32 255.255.255.224
default-router 192.168.0.62
ip dhcp pool FINANCE
network 192.168.0.64 255.255.255.224
default-router 192.168.0.94
ip dhcp pool SALES
network 192.168.0.96 255.255.255.224
default-router 192.168.0.126
!
line con 0
line vty 0 4
login
!
!
end

Any comments well appreciated guys,
Cheers,

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

The first thing to do is to clarify exactly what you want to do - your summary of the problem is not clear.

The above seems to mean, "let ADMIN and SALES communicate, but no traffic allowed to FINANCE'

It is very helpful to explicitly list exactly which networks can send traffic to which other networks. Then build the access-lists to match your list of requirements.

Spice_Weasel

 

Hello Spice_Weasel,

Yes, that is correct.
Allow trafic between ADMIN and SALES.
Allow trafic from FINANCE to all other networks. (SALES and ADMIN).
Deny trafic from other networks (SALES and ADMIN) to FINANCE.

When I use a deny all for FINANCE's router interface at the inbound I then am blocking all of it and when I try to ping any other network from FINANCE I get no repply as the icmp response is beeing blocke by the access list.

Any help appreciated greatly.

Cheers,

 

Extended access list.

 

Thanks BosonMichael, that's a start...

I shall head on to packet tracer and let you all know of my achievements...

 

...just enough to give you a push in the right direction. If I spell it all out for you, you won't learn where to find the info on your own, when you will (and you WILL) need it again. ;)

 

It's up and running as I wanted.
I can ping the pcs on the networks ADMIN and SALES from the FINANCE network.
I can't ping FINANCE from any of the other networks.

Had also to ad another line for it to allow DHCP repplies on the outbound for the FINANCE network.

Any more comments on this BosonMichael please?

Anything that I could do to make it better?

-----------------------------------------------------------------------------------------------

access-list 101 is aplied to outbound traffic
----------------------------------------------------------------
access-list 101 permit udp 192.168.0.64 0.0.0.31 eq 67 any eq 67
access-list 101 permit icmp any 192.168.0.64 0.0.0.31 echo-reply
access-list 101 deny ip any any



access-list 102 is applied to inbound traffic
------------------------------------------------------------------
access-list 102 permit ip any any

 

I guess I would need to know a bit of information about your router and your network... specifically, which interfaces are connected to which networks.

 

True, sorry.

ADMIN = 192.168.0.32/27 port fa0/0
FINANCE = 192.168.0.64/27 port fa1/0
SALES = 192.168.0.96/27 port fa2/0

I am using cisco's packet tracer for this.

 

And which access lists are applied to which interfaces?

 

Booth are applied to the same interface fa1/0
101 is to outbound trafic and 102 is to inbound trafic

 

I gotcha. Yep, that looks like it would work... can't think of anything that would make it better... it's applied on the interface that it makes most sense to apply it.

 

Cheers BosonMicheal and everybody that contributes for the forum.
Help is always appreciated.

Anybody know of some tests to pratise more ACLs?

 

I've got a bunch that I personally endorse... Worth every penny, in my opinion!

 

How can I get those and where and how much do they cost please?

 

If you want to practice the ACL i can give you an assigment question i had at university last semester together with the solution - packet tracer file to see if you get something more or less the same!! - im sure i was correct.... if you interested let me know!!

 

Click the little dude pointing at the paper!

Here he is again!

 

The access-list 102 which is applied to inbound traffic, it will allow FINANCE to have access to shared files on the other networks, am I right?

------------------------------------------------------------------
access-list 102 permit ip any any

 

Bring it on zimbo, I honestly need the practise mate, cheers

 

Complete kit for CCNA link seems to be brooken mate.

Selected product is not active in our e-commerce system and cannot be purchased.