IOS and ACL's

[Jeff7181]

I'm learning about ACL's in one of my classes right now. I think I understand the concept but I'm not able to configure a pair of routers and a pair of workstations so that it works correctly.

All I'm trying to do is make it so only workstation 1 (172.16.16.10) and workstation 2 (172.16.64.10) can ping eachother and nothing else.

So what I'm doing is this...

Router 1
(global config mode) access-list 100 permit icmp 172.16.64.10 0.0.0.0 172.16.16.10 0.0.0.0
then for the serial interface
(interface mode) ip access-group 100 in

Router 2
(global config mode) access-list 100 permit icmp 172.16.16.10 0.0.0.0 172.16.64.10 0.0.0.0
then for the serial interface
(interface mode) ip access-group 100 in

So... Router 1 should permit all incoming icmp traffic from 172.16.64.10 to 172.16.16.10 and deny all other inbound icmp traffic, but allow all outgoing icmp traffic, correct?

And... Router 2 should permit alll incoming icmp traffic from 172.16.16.10 to 172.16.64.10 and deny all other inbound icmp traffic, but allow all outgoing icmp traffic, correct?

Or does the implicit deny somehow get applied to outgoing icmp traffic even though I haven't set up an access group for outbound traffic?

Network Diagram

 

[jlazzaro]

just to ensure we have initial connectivity, withouth the ip access-group statements everything can ping fine right?

please define what interfaces you're applying the access-group's to, its kind of important...

 

[p0lar]

Originally posted by: Jeff7181
I'm learning about ACL's in one of my classes right now. I think I understand the concept but I'm not able to configure a pair of routers and a pair of workstations so that it works correctly.

All I'm trying to do is make it so only workstation 1 (172.16.16.10) and workstation 2 (172.16.64.10) can ping eachother and nothing else.

So what I'm doing is this...

Router 1
(global config mode) access-list 100 permit icmp 172.16.64.10 0.0.0.0 172.16.16.10 0.0.0.0
then for the serial interface
(interface mode) ip access-group 100 in

Or more specifically an easier-to-read syntax:
access-list 100 permit icmp host 172.16.64.10 host 172.16.16.10

Router 2
(global config mode) access-list 100 permit icmp 172.16.16.10 0.0.0.0 172.16.64.10 0.0.0.0
then for the serial interface
(interface mode) ip access-group 100 in

access-list 100 permit icmp host 172.16.16.10 host 172.16.64.10

So... Router 1 should permit all incoming icmp traffic from 172.16.64.10 to 172.16.16.10 and deny all other inbound icmp traffic, but allow all outgoing icmp traffic, correct?

Access-lists carry an implicit deny at the end; thus, your access-lists will permit all incoming icmp traffic as you stated, but deny everything else. You do not have an outbound (egress) ACL on the interface so anything can slide out.

And... Router 2 should permit alll incoming icmp traffic from 172.16.16.10 to 172.16.64.10 and deny all other inbound icmp traffic, but allow all outgoing icmp traffic, correct?

It will permit all traffic, regardless of protocol.

Or does the implicit deny somehow get applied to outgoing icmp traffic even though I haven't set up an access group for outbound traffic?

There is no access-list applied to the serial interface in the outbound direction; thus, it will not be filtered and there is no applicable implicit deny.


In theory, you might even get more specific to pander about with the specifics of ICMP.

r1(config)# remark PERMIT ICMP ECHO FROM REMOTE-ORIGINATED ECHO
r1(config)# access-list 100 permit icmp host 172.16.64.10 host 172.16.16.10 echo
r1(config)# remark PERMIT RETURN REPLY FROM LOCALLY-ORIGINATED ECHO
r1(config)# access-list 100 permit icmp host 172.16.64.10 host 172.16.16.10 echo-reply
r1(config)# int s0/0
r1(config-if)# ip access-group 100 in

r2(config)# remark PERMIT ICMP ECHO FROM REMOTE-ORIGINATED ECHO
r2(config)# access-list 100 permit icmp host 172.16.16.10 host 172.16.646.10 echo
r2(config)# remark PERMIT RETURN REPLY FROM LOCALLY-ORIGINATED ECHO
r2(config)# access-list 100 permit icmp host 172.16.16.10 host 172.16.64.10 echo-reply
r2(config)# int s0/0
r2(config-if)# ip access-group 100 in

Always, always, always, always, always use remarks (and descriptions) where humanly possible (which means everywhere). I can count the number of times on one hand that I've run across a router/switch/etc in the wild that was properly and thoroughly documented internally (and I'm still not sure it wasn't one of mine I did years before. )

 

[Jeff7181]

Yes, with no ACL's the two workstations can ping fine.

The workstations are connected to the routers via Fast Ethernet, and the routers are connected via serial interface. I am applying the ACL's to the serial interfaces of each router.

Is it not working because I left out echo and echo-reply? Are those necessary?

 

[p0lar]

Originally posted by: Jeff7181
Yes, with no ACL's the two workstations can ping fine.

The workstations are connected to the routers via Fast Ethernet, and the routers are connected via serial interface. I am applying the ACL's to the serial interfaces of each router.

Is it not working because I left out echo and echo-reply? Are those necessary?

Absolutely not -- those just filter based on the ICMP type.

Try adding a 'log-input' to the end of your access-list statements and then turn on debugging and monitor via terminal/console. Don't do this in a production environment unless you are very certain of the traffic you wish to debug in this manner.

 

[Jeff7181]

Like I said... this is for a class I'm taking, so it's not even close to a production environment. It's actually not even using real equipment... Boson NetSim.

 

[p0lar]

Originally posted by: Jeff7181
Like I said... this is for a class I'm taking, so it's not even close to a production environment. It's actually not even using real equipment... Boson NetSim.

I'm well aware of your circumstances, I taught private CCNA (on up) classes years ago. My point was that what you do in a lab will translate directly to what you do in a production environment. You won't magically change your habits just because your environment changed. Think of it like batting practice -- bad swings in the cage don't translate to great swings on the field. (not that you were, it was just a general warning)

Now, that being said, I can't recall if Boson permitted you log ACLs or not. Have you tried Dynamips? It is an emulator, not a simulator such as Boson, and as such mimics the router almost to a T, minus the physical attributes and noisy fans.

Good luck.