Applying an ACL in Packet Tracer for class

15 pts.
Tags:
Access Control List
ACL
Packet Tracer
I'm having a problem figuring out how to configure the following:

  1. Allow hosts on the 192.168.30.0/24 network web access to any destination
  2. Allow hosts on the 192.168.30.0/24 network ICMP access to any destination. 
  3. Explicitly deny any other access origination from the network.
Now the they say implement the ACL number 101 which makes this an extended ACL. I configured the following: config t IP access-list extended 101 permit tcp any any eq www (Web access to any destination) permit icmp any any echo-reply (Network ICMP access to any destination) deny ip any any (Deny any other access originating from the network) int Fa0/0 ip access-group 101 in For some reason I cant seem to figure out where I go wrong at. Can someone please help me. Thanks

Answer Wiki

Thanks. We'll let you know when a new response is added.

One problem is that you used the source to be ‘any” and not the subnet. Also on the second part, you restricted it to echo-reply, which is a response to a PING, which if you wanted to restrict it to only allow ping should have just been echo. However the question says just ICMP, so you must not specify any message type after the ‘any’ to allow all ICMP messages.

From the question

1. Allow hosts on the 192.168.30.0/24 network web access to any destination

<b>permit tcp 192.168.30.0 0.0.0.255 any eq www</b>

2. Allow hosts on the 192.168.30.0/24 network ICMP access to any destination.

<b>permit icmp 192.168.30.0 0.0.0.255 any</b>

3. Explicitly deny any other access origination from the network.

<b>deny ip any any</b>

Then, as you did, apply this inbound on the interface that connects to the 192.168.30.0/24 subnet, which I presume is Fa0/0. From the question we presume that this subnet is not permitted to access any other local subnet, so that is the correct way to apply it.

Also, if it says use access list 101, this is not necessarily saying to use the extended as you have, it could imply that you just prefix each line with access-list 101 as follows

<b>
access-list 101 permit tcp 192.168.30.0 0.0.0.255 any eq www
access-list 101 permit icmp 192.168.30.0 0.0.0.255 any
access-list 101 deny ip any any
</b>

Which will produce an access list with the same effect. The method you chose is slightly better as it does allow you to edit the access list, the second type only allows you to delete it and re-create it if you need to make changes. But I thought it is important to point out the alternative.

Hope this helps, if you have any more questions, please post them.

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • MRLS718
    Hey thanks alot that helped my a MILLION lol. I'm attending the Cisco Network University and up to this point every thing has been a walk in the park for me. I dont know what it is with the ACL's that I'm just not grasping. I have a clear understanding but sometimes I get a brain freeze when it times to comfigure. I dont get like this when it comes to anything else though. Again thanks alot, and if you have an easy way to understanding ACL's please let me know. lol Thanks, MRLS718
    15 pointsBadges:
    report
  • BlankReg
    Funny, I am also doing the Cisco Academy at the moment. Although I passed it over 10 years ago, I have to do the Academy as I will be a tutor for it next year. My only advice is to always remember that they are written from the perspective of the router, so applied 'in' they are for traffic coming into the router from the LAN, so the first address (from) should be a LAN address, and the second address (to) is where that packet is going (permit), or is not allowed to go (deny). Applied 'out' it is the reverse, the first address is where it came from, and the second is the LAN it is going out onto. The masks are reversed on all routers, but are the normal ones on firewalls, just to confuse everyone. And the golden rule to remember is that they are actioned in the order you write them, and it exits when it matches a condition. Practice is the key, do a lot of these and it becomes second nature. Use the Packet Tracer software to practice. set up a simple netowrk with one router and a PC on one interface and a PC on another, and apply different access lists to stop some traffic, and allow others. You should soon get the hang of writing these. Good Luck with the course, and the exam when you do that.
    12,325 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following