1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ACL Help please

Discussion in 'General Cisco Certifications' started by zimbo, Nov 1, 2008.

  1. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    Right im working on an assignment that involves working with ACLs and im struggling a little. Im using packet tracer and have the following topology:


    [​IMG][​IMG]

    Now the conditions of the ACL are as follows:

    Admin can send data to students
    Students must not have access to Admin
    Students can send packets
    Students can send data to PC3 and PC2 (you will see the IP's in the ACL)

    Now my show access-list gives me:

    Code:
    Router#show access-lists 
    Standard IP access list 1
        permit 192.160.2.0 0.0.0.255
    Extended IP access list 102
        permit ip any host 192.168.2.3
        permit ip any host 192.168.2.4
    Standard IP access list 2
        deny 192.168.1.0 0.0.0.255
    Students : 192.168.1.0 255.255.255.0
    Admin: 192.168.2.0 255.255.255.0

    Now i know the order is important but thats not the problem - i can still ping from the student pc to the admin ones! What am i doing wrong? :blink
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  2. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Hello mate.
    I am also a bit new to this ACL thing as I am still currently doing my CCNA course but I believe that if you want to allow packets to go to admin and yet block access to data to admin from students you would have to creat a extended ACL. Remeber that packets use UDP so allow udp access to admin and block all other trafic.
    Hope it helps and surelly you'll have better answers as this forum is one of the best out there if not the best.
    Good luck
    Albert, C
     
    Certifications: CCNA
    WIP: 220-701 - A+
  3. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    Extended IP access list 102
    permit ip any host 192.168.2.3
    permit ip any host 192.168.2.4

    there is the extended list.. is that what you meant? Also why use UDP? I thought IP covers all the below protocols that's why i specified it.
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  4. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    there is the extended list.. is that what you meant? Also why use UDP? I thought IP covers all the below protocols that's why i specified it.
    ******************************************************************************
    Sorry mate didn't see it there.

    Yes that would be what I meant.

    Why use UDP? You want to block students from accessing the admin and yet you want them to be able to send packets right? By this what do you really mean? Do you want them to be able to ping/telnet or send reall data? What kind of packets? IP, UDP, TCP?

    Yes IP does cover the whole range when applyd in a standard ACL.

    Also remember that standard access control list do not specify destination addresses, so they should be placed as close to the destination as possible and extended access control list are placed near the trafic you want to block if memory serves me right so be aware of inbound and outbond trafic and which interface in the router to apply the ACL.
    ACLs must be defined on a per-protocol basis, so you must provide an ACL for every protocol enabled on an interface.

    Hope it helps.
    Albert, C
     
    Certifications: CCNA
    WIP: 220-701 - A+
  5. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    No traffic from students must cross to admin only requests to the servers on those IP addresses. So which parts are wrong? can u highlight them please? :rolleyes:
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  6. UCHEEKYMONKEY
    Honorary Member

    UCHEEKYMONKEY R.I.P - gone but never forgotten. Gold Member

    4,140
    58
    214
    :hhhmmm ACL was covered in my N+ study book!

    don't you have to setup the permissions?

    not sure if it's a good idea to type out what the book says.. so I have found a link instead..hope this helps..

    ACL
     
    Certifications: Comptia A+
    WIP: Comptia N+
  7. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    Thats for software based permissions - im talking about ACL on Cisco routers mate! :biggrin
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  8. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Great, you've got access lists...

    ...but have you applied one of those access lists to an interface? You can apply one outgoing and one incoming to each interface.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  9. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    hmm i thought something didnt quite make sense! Err how do i apply it to an interface? i really hope packet tracer allows me to do this! :rolleyes:
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  10. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Dunno, mate... I just use the old trusty IOS. :D
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  11. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    well thats what im using lets say i wanted to apply the first ACL to fa0/0? :biggrin
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  12. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Sorry - never used Packet Tracer before... didn't know if it worked like the IOS.

    config t
    int fa0/0
    access-group 1 out
    (if you want to apply it to outbound traffic on that interface - if you want to apply it to inbound traffic, do access-group 1 in)
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  13. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37


    access-list 101 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.3 (server1 IP?)
    access-list 101 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.4 (server2 IP?)
    access-list 101 deny ip any any (to deny any other traffic)

    The 192.168.1.0 0.0.0.255 is a wilcard that tells the ACLs to block all valid IPs in the
    192.168.1.0 network which are 254.

    After this you just go to the interface you want to apply it and apply it

    int f0/0 (example)
    ip access-group 101 in (or) out

    I would apply this extended ACL to the interface where the students network connect to the router so therefore blocking incoming trafic hence (IN) on the ip access-group 101 IN

    Hope it helps,
    Albert, C
     
    Certifications: CCNA
    WIP: 220-701 - A+
  14. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    ZIMBO

    Here it is a packet tracer file with what you where trying to do.
    Now I only ask of you to do yourself a favor mate, do not copy the runconfig file for your benefit or just oiut of laysiness (I am not saying you are laisy) but insted try to understand how it all works as it will be better for you in the long run.
    This was my best subject at college but still can be a bit challanging.
    It is a matter of logic I'd say.
    Hope it helps you rather then do you harm, so please try to understand how it all works.
    Take care,
    Albert, C
     
    Certifications: CCNA
    WIP: 220-701 - A+
  15. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    Thanks for the help everyone! Albert no need to worry cause i think the final topology will different as its also a design question - and i still need to allow Admin to have full access to the student side so i still got work to do!! Would i need another router to achieve that?
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  16. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    No you would not need another router mate.
    It can all be done using just the one you have in your pic and with the use of a simple standard ACL.
    Glad to be able to help just like others have helped me as well.

    Best of luck and please feel free to lay down any questions or doubts you may have.

    Albert
    C
     
    Certifications: CCNA
    WIP: 220-701 - A+
  17. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    Yes but i would need to use the other interface right? you cant apply more than one access list group to an interface correct?

    Another question if fa0/0 blocks all other traffic and fa0/1 will allow the traffic - im guessing there needs to be a change to:

    Code:
    access-list 101 deny ip any any 
    to become

    Code:
    access-list 101 deny 192.168.1.0 0.0.0.255
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  18. kevicho

    kevicho Gigabyte Poster

    1,219
    58
    116
    Just a quick note, at the end of every access list the is an inplicit deny all, so you dont really need the last line
     
    Certifications: A+, Net+, MCSA Server 2003, 2008, Windows XP & 7 , ITIL V3 Foundation
    WIP: CCNA Renewal
  19. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37

    It can all be done in the same access list by adding more lines to it.
    Remember to place them in order.
     
    Certifications: CCNA
    WIP: 220-701 - A+
  20. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    such as the one above? or and extended ACL?
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics

Share This Page

Loading...