Hey Bauke, The reason your pings are failing is because you are not allowing ICMP in your ACL on R7. For devices to be able to ping the loopback address of R8, the packets need to pass through R7 right? So when the packets are on their way over to R8, they hit the R7 ACL and get dropped because you are not explicitly permitting ICMP traffic.
You need to add something like this prior to the end of the ACL. permit icmp any any Think of it like this: You are on R1 and you issue a ping to 200.0.0.8, what happens? R1 has a route to 200.0.0.8 and it sends it on it's way...at some point the packet is inbound to R7 where you have the ACL....R7 looks at the packet, and it sees an ICMP echo-request .... is that permitted???. Right now in your ACL it is not On Wed, Jul 1, 2009 at 2:09 PM, Joe Astorino <[email protected]> wrote: > Hey Bauke, > > > > First, I am confused with the task at hand here: Volume 2, Lab12, Task > 11.1 is in regards to DHCP. But looking at your question here -- > > > > 1) Well EIGRP may be working fine, but what does that have to do with > ping? Remember, ping utilizes ICMP which is a completely other protocol. > Any ping packet in the network on the other side of R7/R8 serial link HAS to > go through R7. Since you are not permitting ICMP in your ACL there, it is > all getting dropped at R7 > > > > 2) Please let me know the correct workbook/task number and I will > gladly look into that for you > > > > Regards, > > Joe Astorino > CCIE #24347 (R&S) > Sr. Support Engineer – IPexpert, Inc. > URL: http://www.IPexpert.com > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Bauke Dzavhale > *Sent:* Wednesday, July 01, 2009 12:19 PM > *To:* [email protected] > *Subject:* [OSL | CCIE_RS] Lab 12- Vol 2- Task 11-1 > > > > Team, > > > > After configuring security on R7, I can no longer ping R8 interface Lo1 > (200.0.0.8) from anywhere in the network. > The relevant ACL config is as follows: > > > > R7# > > > > # ip access-list extended IPEXPERT > deny tcp 192.168.80.0 0.0.0.31 any eq www log > > > ........... truncated .......................... > > > > permit tcp 192.168.80.0 0.0.0.31 192.168.100.0 0.0.0.255 eq ftp > permit tcp 192.168.80.0 0.0.0.31 eq ftp 192.168.100.0 0.0.0.255 > permit tcp 192.168.80.0 0.0.0.31 192.168.100.0 0.0.0.255 eq ftp-data > permit tcp 192.168.80.0 0.0.0.31 eq ftp-data 192.168.100.0 0.0.0.255 > permit icmp host 192.168.11.6 any > permit tcp host 200.0.0.8 host 200.0.0.5 eq bgp > permit tcp host 200.0.0.8 eq bgp host 200.0.0.5 > permit eigrp host 192.168.11.6 any > deny ip any any > > questions: > > 1- The eigrp traffic has been properly addressed/permited, consequently I > do not see why R7 or any other router can not ping 200.0.0.8. The route to > 200.0.0.8 shows up in R7 routing table though.... Also this is the solution > shown in PG > > > > 2- The source address of www and ftp is the ethernet segment of R8. Why is > so? The question just asks to permit www and ftp from anywhere, so I would > put "any" . The PG specifies R8 ethernet segment as the source... > > > > > > Thanks > > > > > > > > Bauke > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------ > > Looking for the perfect gift?* Give the gift of > Flickr!*<http://www.flickr.com/gift/> > > Checked by AVG - www.avg.com > Version: 8.5.375 / Virus Database: 270.13.0/2210 - Release Date: 07/01/09 > 05:53:00 > -- Regards, Joe Astorino CCIE #24347 (R&S) Sr. Support Engineer – IPexpert, Inc. URL: http://www.IPexpert.com
