Block ICMP ping from a PC to a PC

aclgns3ping

I have a topology like this

PC1 ------Switch
PC2 ------Layer --------- Router
PC3-------two

PC1 192.168.1.34 VLAN 10.

PC2 192.168.1.50 VLAN 20. 
PC3 192.168.1.51 VLAN 20.

I configured a router on a stick to ping between any PC. Then, I want PC2 can ping PC1 and PC3 cannot ping PC1. I use an access list to the switch:

conf t
access-list 101 permit ip host 192.168.1.50 host 192.168.1.34
access-list 101 deny ip host 192.168.1.51 host 192.168.1.34
int f1/0
ip access-group 101 in
end

but it doesn't work. Can you tell me why? I've tried configuring to the router, but it's doesn't work, either.

I configured in GNS3 which doesn't support access-map.

Best Answer

First you must deny the packets from host 3 to host 1; then permit any thing else.

access-list 101 deny ip host 192.168.1.51 host 192.168.1.34
access-list 101 permit ip any any

however, if you want only to deny the ping, you must use icmp instead of ip in the deny part:

access-list 101 deny icmp host 192.168.1.51 host 192.168.1.34 echo

Related Solutions

HP Procurve 5406zl – ACL issue

According to the Access Security Guide for your device, the first address and mask of an ACE is source and the second address and mask is the destination. (Just in case, an ACE is an Access Control Entry; that is any line an access-list is made of)

ACE 20 of your ACL states source 192.168.50.0/24 and destination 192.168.101.0/24, then you apply the ACL at VLAN 101 input; however, your VLAN 101 is 192.168.101.0/24, so any input traffic at VLAN 101 would have source address in 192.168.101.0/24. So ACE 20 in your ACL is wrong, you need an ACE with action permit, source 192.168.101.0/24 and destination 192.168.50.0/24.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255

Regarding the way back for this traffic, it will cross VLAN 101 outbound, so ACL should not be applied to this traffic and it should be allowed.

If traffic back is not allowed then you need to add the way back in your ACL.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255
    20 permit ip 192.168.50.0 0.0.0.255 192.168.101.0 0.0.0.255

EDITED to change the line above to reflect proper ACL structure of numbered entries. (10, 20, etc).

Cisco Router ACL – Deny Access to Host on Port 8080, Allow on 80

You should craft an ACL for one direction. Don't put the same ACL on every interface in both directions.

The general ACL rules:

An extended ACL has both the source and destination addresses. It should be placed inbound on the source interface where the source address is. This prevents the denied traffic from being routed at all.
A standard ACL doesn't have the destination address, only the source address. It should be placed outbound on the interface where the destination address is. This means the traffic will be routed, but it prevents the ACL from affecting too much traffic.

Your extended ACL 100 should only be on the router's interface for the VLAN with 192.168.1.0 (per your comment, VLAN 20) as an inbound ACL:

interface Vlan20
 ip access-group 100 in

This will immediately drop any TCP traffic coming into the router from 192.168.1.0/24 destined to 192.168.0.2:8080, preventing the router from having to route that traffic. It will allow ICMP echos and other TCP traffic to 192.168.0.2, but it will deny all other traffic (ACLs have an implicit deny any any as the last statement. You should probably change the ACL so that it will permit all other traffic, unless you really only want to allow hosts on that VLAN to ping and use all other TCP only with 192.168.0.2. The hosts on that VLAN will not be able to get to any other VLAN, except with ping.

Best Answer

Related Solutions

HP Procurve 5406zl – ACL issue

Cisco Router ACL – Deny Access to Host on Port 8080, Allow on 80

Related Topic