The access list is actually only blocking the icmp packets on the return
path from the "pinged" router or host. The icmp packets sent outbound by
the router sourcing the pings are actually allowed through the outbound
access list. This can be seen by adding the "log" extension to your access
list commands. Then you should see the following message:
%SEC-6-IPACCESSLOGDP: list 100 denied icmp 192.168.10.50 -> 192.168.10.20
(0/0), 1 packet
The key is that you won't see the same log message for the outbound icmp
packets. You can also run "debug ip packet" to see something similar to the
following:
IP: s=192.168.10.20 (local), d=192.168.10.50 (Ethernet0), len 100, sending
ICMP type=8, code=0
IP: s=192.168.10.50 (Ethernet0), d=192.168.10.20 , len 100, access denied
ICMP type=0, code=0
The outbound packets were sent, but the return packets were "access denied".
Hence you get:
C2501-R2#ping 192.168.10.50
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds:
.....
because the entire ping path consists of both the forwarding AND the return
path.
HTH,
Jason
""John Hardman"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi
>
> I can't believe I am challenging Priscilla!
>
> I just tried what you are talking about, i.e. that the ACL on the router
> does not effect the traffic generated by the router it's self.
>
> I created an extended ACL to block all ICMP traffic and applied it to E0
as
> both IN and OUT. Before appling the ACL I can ping just fine to any host
on
> the network and any host on the network can ping the router. After Appling
> the ACL I am not able to ping from the router, or to the router.
>
> I am running 11.1 IOS, maybe it would yield different results with a
> different IOS version. What IOS and platform did you see this behavior?
>
> Here's my config.
>
> Windoze PC 192.168.10.50 --- E0 Router2 192.168.10.20
> RedHat PC 192.168.10.2
>
> -------------Router config--------------
> Current configuration:
> !
> version 11.1
> service udp-small-servers
> service tcp-small-servers
> !
> hostname C2501-R2
> !
> enable secret 5 XXX
> enable password none
> !
> ip subnet-zero
> !
> interface Ethernet0
> ip address 192.168.10.20 255.255.255.0
> ip access-group 100 in
> ip access-group 100 out
> no ip mroute-cache
> no ip route-cache
> !
> interface Serial0
> ip address 192.168.50.1 255.255.255.252
> no ip mroute-cache
> encapsulation ppp
> no ip route-cache
> !
> interface Serial1
> no ip address
> no ip mroute-cache
> no ip route-cache
> shutdown
> !
> ip classless
> logging buffered
> access-list 100 deny icmp any any
> access-list 100 permit ip any any
> !
> line con 0
> exec-timeout 0 0
> line aux 0
> transport input all
> line vty 0 4
> exec-timeout 0 0
> password XXXX
> login
> !
> end
>
> -----------Router Config--------------
>
> -----------Ping results-----------------
>
> C2501-R2#ping 192.168.10.50
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> C2501-R2#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> C2501-R2(config)#int e0
> C2501-R2(config-if)#no ip access-group 100 in
> C2501-R2(config-if)#no ip access-group 100 out
> C2501-R2(config-if)#^Z
> C2501-R2#
> %SYS-5-CONFIG_I: Configured from console by console
> C2501-R2#ping 192.168.10.50
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
> C2501-R2#
>
> Windoze Ping with ACL ----
> C:\>ping 192.168.10.20
>
> Pinging 192.168.10.20 with 32 bytes of data:
>
> Reply from 192.168.10.20: Destination net unreachable.
> Reply from 192.168.10.20: Destination net unreachable.
> Reply from 192.168.10.20: Destination net unreachable.
> Reply from 192.168.10.20: Destination net unreachable.
>
> Ping statistics for 192.168.10.20:
> Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
> Approximate round trip times in milli-seconds:
> Minimum = 0ms, Maximum = 0ms, Average = 0ms
>
> Windoze Ping without ACL ----
>
> C:\>ping 192.168.10.20
>
> Pinging 192.168.10.20 with 32 bytes of data:
>
> Reply from 192.168.10.20: bytes=32 time wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I know it's not what you said. What you said was obvious. I guess it
comes
> > about because I said to test with end devices. Router A is acting like
an
> > end device in your example. I should have been more clear.
> >
> > What is not obvious is that ACLs on Router B do not apply to pings to
and
> > from Router B. Every newbie has probably been bitten by that one,
> > especially in simple labs.
> >
> > Priscilla
> >
> > At 09:42 PM 8/26/01, Brad Ellis wrote:
> > >Priscilla, that's not what I said. Here's what I said:
> > >
> > >"...pings sent by one router will not be filtered by another router? "
> > >
> > >Hence my diagram for further explanation:
> > >
> > >Router A -=- Router B -=- Device A
> > >(-=- can be ethernet x-over, serial back-to-back, etc)
> > >
> > >An ACL is applied on Router B's interface (applied inbound) that is
> > >connected to Router A. What I originally said, and continue to say, is
> that
> > >Router B will most certainly block packets (pings or whatever) coming
> from
> > >Router A...and it is irrelevant if Router A is a router or a host
device.
> > >The ACL on Router B doesnt care if the device sending packets is a
router
> or
> > >an end host device!
> > >
> > >If Router B was initiating the ping and Router B had the ACL applied,
> that
> > >would be a different story.
> > >
> > >ttyl,
> > >-Brad Ellis
> > >CCIE#5796
> > >[EMAIL PROTECTED]
> > >used Cisco: www.optsys.net
> > >
> > >""Priscilla Oppenheimer"" wrote in message
> > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > At 08:06 PM 8/26/01, Brad Ellis wrote:
> > > > >Priscilla,
> > > > >
> > > > >Are you saying that pings sent by one router will not be filtered
by
> > >another
> > > > >router? I beg to differ.
> > > >
> > > > Of course not. Pings sent by the router where the ACL is configured
> are
> > >not
> > > > affected by the ACL. Try it.
> > > >
> > > > Priscilla
> > > >
> > > >
> > > > >-Brad
> > > > >
> > > > >""Priscilla Oppenheimer"" wrote in message
> > > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > > > At 06:26 PM 8/26/01, Brad Ellis wrote:
> > > > > > >Sami,
> > > > > > >
> > > > > > >You'll need to give more info than that. The router does not
> care
> > if
> > > > the
> > > > > > >packets are originated from a host or another router. It will
> > filter
> > > > > > >packets based on packet information, ie, source address,
> destination
> > > > > > >address, port #...
> > > > > >
> > > > > > This filtering happens as part of the packet-forwarding process.
> > >Packets
> > > > > > sent by the router (such as pings) may not go through this
> process.
> > >Sorry
> > > > > > that I don't have the details, but I have run into surprising
> results
> > >in
> > > > a
> > > > > > lab environment when testing access lists from a router. You
need
> to
> > >test
> > > > > > them from end hosts.
> > > > > >
> > > > > > I can't believe I'm challenging a CCIE, ;-) but I was afraid
> nobody
> > >else
> > > > > > would, and I think the question bears more research.
> > > > > >
> > > > > > Priscilla
> > > > > >
> > > > > > >Are you saying the router wont filter packets originated from
the
> > >router
> > > > > > >itself? How are your access-lists applied? Inbound or
Outbound?
> > >What
> > > > >are
> > > > > > >you trying to filter? Explain your situation a little better,
> and
> > > > >include
> > > > > > >your access-list if you so desire.
> > > > > > >
> > > > > > >-Brad Ellis
> > > > > > >CCIE#5796
> > > > > > >[EMAIL PROTECTED]
> > > > > > >used Cisco: www.optsys.net
> > > > > > >
> > > > > > >""sami natour"" wrote in message
> > > > > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > > > > > Hi All ,
> > > > > > > > When I made standard access list I discoverd that it
> > > > > > > > prevented packets originated form PC's and host but
> > > > > > > > not packets originated from other routers.Any idea why
> > > > > > > > this will happen.
> > > > > > > >
> > > > > > > > Best Regards ,
> > > > > > > > sami ,
> > > > > > > >
> > > > > > > >
> > > > > > > > __________________________________________________
> > > > > > > > Do You Yahoo!?
> > > > > > > > Make international calls for as low as $.04/minute with
Yahoo!
> > > > >Messenger
> > > > > > > > http://phonecard.yahoo.com/
> > > > > > ________________________
> > > > > >
> > > > > > Priscilla Oppenheimer
> > > > > > http://www.priscilla.com
> > > > ________________________
> > > >
> > > > Priscilla Oppenheimer
> > > > http://www.priscilla.com
> > ________________________
> >
> > Priscilla Oppenheimer
> > http://www.priscilla.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17360&t=17360
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
