Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACLs don't seem to work 1

Status
Not open for further replies.
ottathom

ottathom

Instructor
Jun 12, 2004
3
Hey Folks,

I have four 2501s and two 1924s connected. I have S0 on RouterA to S0 on RouterB, S1 on RouterB to S0 on RouterC, and S1 on RouterC to S0 on RouterD. E0 on RouterA is connected to a switch and E0 on RouterB is connected to a switch. The configuration is as follows:

RouterA
E0 is 151.10.10.1 255.255.255.0
S0 is 151.10.20.1 255.255.255.0

RouterB
E0 is 151.10.30.1 255.255.255.0
S0 is 151.10.20.2 255.255.255.0
S1 is 151.10.40.1 255.255.255.0

The rest don't matter. I go into RouterA and set up an access list that says:

access-list 1 deny 151.10.30.2 0.0.0.255

and apply it to the out side of S0:

ip access-group 10 out

That should block access from RouterA to the switch connected to RouterB shouldn't it??? I can ping 151.10.30.1, or .2, or .0 for that matter and always get through. I've tried using 255.255.255.0 for the wildcard/mask but nothing changed. Where am I going wrong?

Thanks in advance for any hints.
 
Sort by date Sort by votes
ip access-group 10 out should have read

ip access-group 1 out

I've tried every variation I can think of and am wondering if there is some global setting that is telling the router to ignore the ACLs. When I do a show run, I see the ACL and see that it is applied to the interface. Argh.
 
Upvote 0 Downvote
Hello ottathom,

Everything works as desired. You use standart ACL. It checks SOURCE IP address. No SOURCE with that address on routerA and so nothing happens.
If You want do deny traffic from RouterA e0 to routerB e0,
i would suggest extended ACL on routerA e0 in (closest to the source) with source you need and destination on routersB e0 network:

acces-list 101 deny ip any 151.10.30.0 0.0.0.255
You can change any to something you need to filter
access-list 101 permit ip any any
Do not forget that last statement ;)

and on routersA ethernet0 interface

ip access-group 101 in

>> wondering if there is some global setting that is telling the router to ignore the ACLs
I havent found. If someone know, please post...



Best regards,


SiGiS

 
Upvote 0 Downvote
Don't put the ACL on A. Put it on B. Standard ACLs are always supposed to go closest to the destination.

Your ACL should read:

access-list 1 deny 151.10.20.0 0.0.0.255
access-list 1 permit any

Then apply it to E0 of Router B:

ip access-group 1 out

This will block all traffic out of that interface on network 151.10.20.0 (including S0 on A), but will allow other traffic to go through.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

BenniCo
  • Locked
  • Question
Hן I want to buy licenses for PABX
Replies
0
Views
440
BenniCo
BenniCo
Michel$
  • Locked
  • Question
hi guys , please, how to configu
Replies
0
Views
301
Michel$
Michel$
madwok
  • Locked
  • Question
CCENT - tougher to pass it now - Be warned
Replies
2
Views
269
ReallyRotten
ReallyRotten
electronicsfreak
  • Locked
  • Question
Which CCNA certification to start with? 2
Replies
9
Views
548
stingray2049
stingray2049
OzzieGeorge
  • Locked
  • Question
Ok So I've got to October next y
Replies
2
Views
242
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top