Cisco ACL Issue

bluedude2288 · 05:19 PM

I had a lab today in my Advanced Routing class that threw in a step of applying an acl to not allow 2 out of the four loopbacks from accessing the loopback of a router 2 hops over. Everything pinged fine as was workign before the ACL part.

We got to the ACL part and could not get the router with the 4 loopbacks to block traffic using an extended ACL outbound on the link to the next hop.

We tried putting in a ip deny any any outbound statement and ALL traffic was still allowed.

We called over our instructor and she was stumped and told us to turn it in the way it was. I tried on my home lab and it behaves the same way. So what do I have wrong?

Here is the config the acl is on.

Code:

Current configuration : 1576 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
memory-size iomem 15
!
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
interface Loopback97
 ip address 192.168.20.97 255.255.255.252
!
interface Loopback101
 ip address 192.168.20.101 255.255.255.252
!
interface Loopback105
 ip address 192.168.20.105 255.255.255.252
!
interface Loopback109
 ip address 192.168.20.109 255.255.255.252
!
interface FastEthernet0/0
 ip address 192.168.1.161 255.255.255.224
 ip access-group 100 out
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/0/1
 no ip address
 shutdown
 clock rate 2000000
!
router ospf 1
 log-adjacency-changes
 network 192.168.1.161 0.0.0.0 area 0
 network 192.168.20.0 0.0.0.255 area 20
!
router ospf 20
 log-adjacency-changes
 distance 118 192.168.20.0 0.0.0.255
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
access-list 100 deny   ip 192.168.20.104 0.0.0.7 10.4.4.0 0.0.0.255
access-list 100 permit ip any any
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
scheduler allocate 20000 1000
end-list

When ping we used the the ping 10.4.4.4 source loopback 105

Thanks

bluedude2288 · 10-05-2011

Figured it out!

It won't run through ACLs when the packets are originating from a loopback address but it does from a physical port.

But why?

mprasad079 · 12-23-2012

Please share detail topology and acl. Use inbound while applying acl with proper wildcard mask.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
cisco 1720 router [vpn and acl issue]	primesoft	Hardware	1	11-06-2006 12:04 AM
cisco 1720 router [vpn and acl issue]	primesoft	Hardware	0	10-30-2006 05:47 AM
Cisco 1720 router [vpn and acl issue]	primesoft	Cisco	0	10-29-2006 10:43 AM
Dhcp Relay Agent And Acl On Sw 3750, DHCP Relay Agent and ACL on Sw 3750	Vimokh	Cisco	3	09-06-2006 02:16 AM
PIX - Can extended ACL's be used as crypto ACL's on a PIX	Shad T	Cisco	0	06-29-2004 06:27 PM