Comments

4/recentcomments
Deny ICMP or Ping Using Extended Access List

Deny ICMP or Ping Using Extended Access List

Add Comment

Deny ICMP or Ping Using Extended Access List.


In this ACL we are going to block a network 


The Extended ACl is always implemented always on Source where as Standard ACl is always implemented on Destination.
In this ACl we are going to stop ping from PC to a network but PC can do ping other network PC.

Ping Block Acl or Deny ICMP using Extended Numbered Access-Control-List

In Above diagram we stop pinging from 192.168.1.2 to 20.0.0.2, whereas it can ping 192.168.3.2 and 192.168.3.3.
The configuration are as follows:
1. Router0#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.1 YES manual up up
FastEthernet1/0 10.0.0.1 YES manual up up
FastEthernet1/1 unassigned YES unset administratively down down
Router0#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - Periodic downloaded static route

Gateway of last resort is not set

C 10.0.0.0/8 is directly connected, FastEthernet1/0
20.0.0.0/24 is subnetted, 1 subnets
D 20.0.0.0 [90/30720] via 10.0.0.2, 01:18:29, FastEthernet1/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
D 192.168.2.0/24 [90/30720] via 10.0.0.2, 01:18:29, FastEthernet1/0
D 192.168.3.0/24 [90/33280] via 10.0.0.2, 01:17:56, FastEthernet1/0

Router1#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.2.1 YES manual up up
FastEthernet1/0 10.0.0.2 YES manual up up
FastEthernet1/1 20.0.0.1 YES manual up up
Router1#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - Periodic downloaded static route

Gateway of last resort is not set

C 10.0.0.0/8 is directly connected, FastEthernet1/0
C 20.0.0.0/8 is directly connected, FastEthernet1/1
D 192.168.1.0/24 [90/30720] via 10.0.0.1, 01:19:23, FastEthernet1/0
C 192.168.2.0/24 is directly connected, FastEthernet0/0
D 192.168.3.0/24 [90/30720] via 20.0.0.2, 01:18:49, FastEthernet1/1
Router2#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.3.1 YES manual up up
FastEthernet1/0 20.0.0.2 YES manual up up
FastEthernet1/1 unassigned YES unset administratively down down
Router2#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - Periodic downloaded static route

Gateway of last resort is not set

D 10.0.0.0/8 [90/30720] via 20.0.0.1, 01:40:27, FastEthernet1/0
C 20.0.0.0/8 is directly connected, FastEthernet1/0
D 192.168.1.0/24 [90/33280] via 20.0.0.1, 01:40:27, FastEthernet1/0
D 192.168.2.0/24 [90/30720] via 20.0.0.1, 01:40:27, FastEthernet1/0
C 192.168.3.0/24 is directly connected, FastEthernet0/0

To Configure an ACL on a Cisco IOS device, we use the following steps:

Define the ACL using a name or number.Named ACL are easier to edit.The command to configure a named ACL is ip access-list [Extended|Standard].

Configure the ACL using the basic Syntax:[permit|deny]<protocol><source network><source wildcard mask><destination network ><destination wildcard mask><options>

To Apply ACL using the command ip access-group<ACL name>[in|out].

ACL is always is applied on Source that’s why we are implementing it on Router 0.

access-list 101 deny icmp 192.168.1.0 0.0.0.255 host 20.0.0.2
access-list 101 permit ip any any

Verifying ACLs

To View ACL using Show ip access-lists command:

Router0#sh ip access-lists
Extended IP access list 101
10 deny icmp 192.168.1.0 0.0.0.255 host 20.0.0.2 (16 match(es))
20 permit ip any any (12 match(es))


Testing ACls

Test 1:ping from 192.168.1.2 to 20.0.0.2

C:\>ping 20.0.0.2

Pinging 20.0.0.2 with 32 bytes of data:

Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.

It fails from ping 192.168.1.2 to 20.0.0.2

Test 2: ping from 192.168.1.2 to 192.168.3.1
C:\>ping 192.168.3.1

Pinging 192.168.3.1 with 32 bytes of data:

Reply from 192.168.3.1: bytes=32 time=14ms TTL=253
Reply from 192.168.3.1: bytes=32 time<1ms TTL=253
Reply from 192.168.3.1: bytes=32 time<1ms TTL=253
Reply from 192.168.3.1: bytes=32 time<1ms TTL=253

Ping statistics for 192.168.3.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 14ms, Average = 3ms

ACL is successful.




SHARE

Milan Tomic

Hi. I’m Designer of Blog Magic. I’m CEO/Founder of ThemeXpose. I’m Creative Art Director, Web Designer, UI/UX Designer, Interaction Designer, Industrial Designer, Web Developer, Business Enthusiast, StartUp Enthusiast, Speaker, Writer and Photographer. Inspired to make things looks better.

  • Image
  • Image
  • Image
  • Image
  • Image
    Blogger Comment
    Facebook Comment

0 Comments:

Post a Comment

Subscribe to: Post Comments ( Atom )