Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Need help on a Extended ACL command! Pls help, thanks!
#1
Hi people,

I have a question on Ext-ACL. Please help..

Users in IT Dept network (192.168.3.0) should not be able to ping or access KL Dept network (192.168.3.0) and vice versa.
Both IT Dept and KL Dept should be able to access the internet.

So my acl command is:
deny ip 192.168.3.0 0.0.0.255 host 192.168.3.0 eq icmp
deny ip 192.168.5.0 0.0.0.255 host 192.168.5.0 eq icmp
permit any any

Is my command correct?
A friend of time told me that, my command will block the respective network from accessing the internet and everything else as well?
Is it true?

Please help people! Urgent! Thanks!!!  Smile
Reply
#2
(02-02-2010, 04:16 PM)AlphonseElric link Wrote:Hi people,

I have a question on Ext-ACL. Please help..

Users in IT Dept network (192.168.3.0) should not be able to ping or access KL Dept network (192.168.3.0) and vice versa.
Both IT Dept and KL Dept should be able to access the internet.

So my acl command is:
deny ip 192.168.3.0 0.0.0.255 host 192.168.3.0 eq icmp
deny ip 192.168.5.0 0.0.0.255 host 192.168.5.0 eq icmp
permit any any

Is my command correct?
A friend of time told me that, my command will block the respective network from accessing the internet and everything else as well?
Is it true?

Please help people! Urgent! Thanks!!!  Smile
Did you make a mistake in the addresses of the networks? If the IT dept and KL dept are both in the 192.168.3.0 network the traffic wont reach the router that ACLs are configured on. Secondly The host designation should not be assigned to a network address.
Reply
#3
This ACL is all wrong. First off in your original question you used the same network address for both departments.  Then in your ACL you have two different networks.  I will assume that the 192.168.3.0 subnet is for IT Dept and that the 192.168.5.0.  Also the eq ICMP at the end of your ACL is only stopping pings and thats not even proper. So it looks like your super netting if its all under one big network. If those are the subnets and you want to block all traffic from reaching each other the ACL would look like this

deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip any any

How many routers are separating the two network segments?
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)