1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Access List HELP needed big time...

Discussion in 'Routing & Switching' started by albertc30, Jan 14, 2009.

  1. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Hello everybody.
    Just left the classroom and we are all clueless as to what to do here in this cenarion.
    Here's what we have.

    3 Networks
    ADMIN = 192.168.0.32/27 - Default Gateway = 192.168.0.62/27
    FINANCE = 192.168.0.64/27 - Default Gateway = 192.168.0.94/27
    SALES = 192.168.0.96/27 - Default Gateway = 192.168.0.126/27

    We want ADMIN to access with SALES and Vice Versa, but they can't access FINANCE.

    I we block all inbound traffic on the routers interface that FINANCE is connect to it work but then we get no response to the ping requests from the FINANCE to the other networks.
    If we then permit the ICMP on an access list we are allowing outside traffic to the FINANCE which we don't want.

    How can this be done?
    How can we allow ICMP to go through but only if traffic was originated on the FINANCE network?

    This is what I have in my router here at home on packet tracer;

    Router#sh run
    Building configuration...

    Current configuration : 975 bytes
    !
    version 12.2
    no service password-encryption
    !
    hostname Router
    !
    !
    !
    !
    !
    ip ssh version 1
    !
    !
    interface FastEthernet0/0
    ip address 192.168.0.62 255.255.255.224
    duplex auto
    speed auto
    !
    interface FastEthernet1/0
    ip address 192.168.0.94 255.255.255.224
    ip access-group 1 out
    duplex auto
    speed auto
    !
    interface FastEthernet2/0
    ip address 192.168.0.126 255.255.255.224
    duplex auto
    speed auto
    !
    ip classless
    ip route 192.168.0.64 255.255.255.224 FastEthernet1/0
    ip route 192.168.0.32 255.255.255.224 FastEthernet0/0
    ip route 192.168.0.96 255.255.255.224 FastEthernet2/0
    !
    !
    access-list 1 permit 192.168.0.32 0.0.0.31
    access-list 1 permit 192.168.0.96 0.0.0.31
    !
    !
    ip dhcp pool ADMIN
    network 192.168.0.32 255.255.255.224
    default-router 192.168.0.62
    ip dhcp pool FINANCE
    network 192.168.0.64 255.255.255.224
    default-router 192.168.0.94
    ip dhcp pool SALES
    network 192.168.0.96 255.255.255.224
    default-router 192.168.0.126
    !
    line con 0
    line vty 0 4
    login
    !
    !
    end

    Any comments well appreciated guys,:oops:
    Cheers,
     
    Certifications: CCNA
    WIP: 220-701 - A+
  2. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    The first thing to do is to clarify exactly what you want to do - your summary of the problem is not clear.

    The above seems to mean, "let ADMIN and SALES communicate, but no traffic allowed to FINANCE'

    It is very helpful to explicitly list exactly which networks can send traffic to which other networks. Then build the access-lists to match your list of requirements.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  3. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Hello Spice_Weasel,

    Yes, that is correct.
    Allow trafic between ADMIN and SALES.
    Allow trafic from FINANCE to all other networks. (SALES and ADMIN).
    Deny trafic from other networks (SALES and ADMIN) to FINANCE.

    When I use a deny all for FINANCE's router interface at the inbound I then am blocking all of it and when I try to ping any other network from FINANCE I get no repply as the icmp response is beeing blocke by the access list.

    Any help appreciated greatly.

    Cheers,
     
    Certifications: CCNA
    WIP: 220-701 - A+
  4. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Extended access list. :)
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  5. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Thanks BosonMichael, that's a start...

    I shall head on to packet tracer and let you all know of my achievements...
     
    Certifications: CCNA
    WIP: 220-701 - A+
  6. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    ...just enough to give you a push in the right direction. If I spell it all out for you, you won't learn where to find the info on your own, when you will (and you WILL) need it again. ;)
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  7. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    It's up and running as I wanted.
    I can ping the pcs on the networks ADMIN and SALES from the FINANCE network.
    I can't ping FINANCE from any of the other networks.

    Had also to ad another line for it to allow DHCP repplies on the outbound for the FINANCE network.

    Any more comments on this BosonMichael please?

    Anything that I could do to make it better?

    -----------------------------------------------------------------------------------------------

    access-list 101 is aplied to outbound traffic
    ----------------------------------------------------------------
    access-list 101 permit udp 192.168.0.64 0.0.0.31 eq 67 any eq 67
    access-list 101 permit icmp any 192.168.0.64 0.0.0.31 echo-reply
    access-list 101 deny ip any any



    access-list 102 is applied to inbound traffic
    ------------------------------------------------------------------
    access-list 102 permit ip any any
     
    Certifications: CCNA
    WIP: 220-701 - A+
  8. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    I guess I would need to know a bit of information about your router and your network... specifically, which interfaces are connected to which networks.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  9. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    True, sorry.

    ADMIN = 192.168.0.32/27 port fa0/0
    FINANCE = 192.168.0.64/27 port fa1/0
    SALES = 192.168.0.96/27 port fa2/0

    I am using cisco's packet tracer for this.
     

    Attached Files:

    Certifications: CCNA
    WIP: 220-701 - A+
  10. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    And which access lists are applied to which interfaces?
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  11. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Booth are applied to the same interface fa1/0
    101 is to outbound trafic and 102 is to inbound trafic
     
    Certifications: CCNA
    WIP: 220-701 - A+
  12. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    I gotcha. Yep, that looks like it would work... can't think of anything that would make it better... it's applied on the interface that it makes most sense to apply it.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  13. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Cheers BosonMicheal and everybody that contributes for the forum.
    Help is always appreciated.

    Anybody know of some tests to pratise more ACLs?
     
    Certifications: CCNA
    WIP: 220-701 - A+
  14. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    I've got a bunch that I personally endorse... :deal Worth every penny, in my opinion! 8)
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  15. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    How can I get those and where and how much do they cost please?
     
    Certifications: CCNA
    WIP: 220-701 - A+
  16. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    If you want to practice the ACL i can give you an assigment question i had at university last semester together with the solution - packet tracer file to see if you get something more or less the same!! - im sure i was correct.... if you interested let me know!!
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  17. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Click the little dude pointing at the paper! :biggrin

    Here he is again! :deal
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  18. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    The access-list 102 which is applied to inbound traffic, it will allow FINANCE to have access to shared files on the other networks, am I right?

    ------------------------------------------------------------------
    access-list 102 permit ip any any
     
    Certifications: CCNA
    WIP: 220-701 - A+
  19. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Bring it on zimbo, I honestly need the practise mate, cheers
     
    Certifications: CCNA
    WIP: 220-701 - A+
  20. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Complete kit for CCNA link seems to be brooken mate.

    Selected product is not active in our e-commerce system and cannot be purchased.
     
    Certifications: CCNA
    WIP: 220-701 - A+

Share This Page

Loading...