Join Log in
Score:-3
Cerolina avatar Server

Want to try to block a particular ip address

td flag
Cerolina

enter image description hereNetwork Diagram:

network diagram

Subnet-coloured Network Diagram:

subnet-coloured network diagram

I have the following subnets below. I want to let traffics from the green subnet to go everywhere but the blue subnet should not be able to get into the green Network. How do I prevent the blue network get into the green network? What should I do on my router?

I have add access list of both fire_walls.

access-lists

Adding the link to the Cisco Packet Tracer project file as well.

132
1 + 0
Score:1
jabbson avatar Server
sb flag
jabbson

If I understand the task here, you would like to allow the green subnet to access anything in the entire network (including the blue/purple), while the blue/purple one should not be able to access the green, but should be able to access the internet.

In this case, after you configure the routing (make sure anything can access anything before you start implementing access lists or you will spend time troubleshooting access issue, when in fact the issues are going to be of routing nature) create an access-list on router_b, which would only allow traffic from 192.168.2.0 to 192.168.3.0 if this is a "returning" traffic. Consider this access list below:

access-list 100 permit tcp 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 established
access-list 100 permit icmp 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 echo-reply
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip any any
  1. allows the tcp traffic from 2.0 to 3.0 if the tcp session is established (technically checks for ACK/RST flags, see here for detail or the docs)
  2. allows the icmp traffic from 2.0 to 3.0 if this is icmp-reply (as opposed to icmp-echo)
  3. denies any other traffic from 2.0 to 3.0
  4. allows any other traffic (eg traffic to the Internet)

Please note that this is much trickier to do the same with UDP traffic.

+ 18
Cerolina avatar
td flag
Cerolina
Can you please kind;y check the recent image i have added..It seems does not work that access list.
0
Reply
jabbson avatar
sb flag
jabbson
Have you applied the access list to the interface? If so, provide the config output, please.
0
Reply
Cerolina avatar
td flag
Cerolina
I have added the drive link of file please check
0
Reply
jabbson avatar
sb flag
jabbson
Is it a file to a version after you configured the access list similar to what I showed in my answer?
0
Reply
Cerolina avatar
td flag
Cerolina
yes..I configured the access list in router b as you said.."show access list" command it shows the list as you said
0
Reply
jabbson avatar
sb flag
jabbson
I downloaded the file, it appears to be the same old version, without my list configured or applied. Have you applied the access list to the interface? Show us how, tell us what changed (if anything)? I keep asking the same question.
0
Reply
Cerolina avatar
td flag
Cerolina
first i went to router_b CLI.Then Router>en Router#conf t Router(config)#access-list 100 permit tcp 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 established Router(config)#access-list 100 permit icmp 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 echo-reply Router(config)#access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 Router(config)#access-list 100 permit ip any any Router(config)#end
0
Reply
jabbson avatar
sb flag
jabbson
So you haven't applied the list to the interface (a question I still didn't hear the answer to). To do so, you go to cli and do: en, conf t, interface fa0/0, ip access-list 100 in
0
Reply
jabbson avatar
sb flag
jabbson
you should end up with something similar to [this](https://drive.google.com/file/d/1najJJjwk3zvYrYjN_EthX0xcmxXWKJq9/view?usp=sharing)
1
Reply
Cerolina avatar
td flag
Cerolina
Router>en Router#conf t Router(config)#interface fa0/0 Router(config)#access-list 100 permit tcp 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 established Router(config)#access-list 100 permit icmp 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 echo-reply Router(config)#access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 Router(config)#access-list 100 permit ip any any Router(config)#end Please check is these command okay?
0
Reply
jabbson avatar
sb flag
jabbson
it is ok, what makes you think otherwise?
0
Reply
Cerolina avatar
td flag
Cerolina
Actually it again ping at 192.168.3.10 at pc_b. Which not supposed to be pinged..What i have missed can't understand..Also added the modifed pkt file above.
0
Reply
jabbson avatar
sb flag
jabbson
Sorry I am not sure I understand the last comment. Right now the configuration prevents you from being able to ping from 192.168.2.10 to 192.168.3.10, which can be seen in the the second test in scenario 0. The goal was to allow the green subnet to access anything and prevent blue subnet from accessing the green one. Right now that's exactly what happens, isn't it?
1
Reply
Cerolina avatar
td flag
Cerolina
"Right now the configuration prevents you from being able to ping from 192.168.2.10 to 192.168.3.10, which can be seen in the the second test in scenario 0. The goal was to allow the green subnet to access anything and prevent blue subnet from accessing the green one"--This supposed to be happen..But now green subnet didn;t prevent blue subnet.That i mean.....
0
Reply
jabbson avatar
sb flag
jabbson
just tested, 2.10 cannot ping 3.10, see the screenshot [here](https://prnt.sc/Is9Azk108BZb)
0
Reply
Cerolina avatar
td flag
Cerolina
Can you share your pkt file please.please
0
Reply
jabbson avatar
sb flag
jabbson
It is still the same file as the one I shared 8 hours ago in the comment "you should end up with something similar to this". The file name should be `24noo-with-acl.pkt`
0
Reply
Cerolina avatar
td flag
Cerolina
Thank you soo much dear Jabbson..It's finally works as I wanted.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.