Try making it an outbound access list only and see what happens. I haven't played around with it much myself, but I think that the outbound packets (originating from the router) will pass through the ACL OK. However I think your ping replies are being blocked on the way back - I'm not going to dig through manuals right now, but I think the ACL will be checked and acted on before the router works out that the ping reply is for itself. So I think (without testing myself) that Priscilla is only half correct with the statement "ACLs on Router B do not apply to pings to and from Router B." - I think they apply to pings *to* router B but not *from* router B. JMcL "John Hardman" To: [EMAIL PROTECTED] Subject: Re: Does access list work for router Sent by: originated packets [7:17357] nobody@groups tudy.com 27/08/2001 02:16 pm Please respond to "John Hardman" Hi I can't believe I am challenging Priscilla! I just tried what you are talking about, i.e. that the ACL on the router does not effect the traffic generated by the router it's self. I created an extended ACL to block all ICMP traffic and applied it to E0 as both IN and OUT. Before appling the ACL I can ping just fine to any host on the network and any host on the network can ping the router. After Appling the ACL I am not able to ping from the router, or to the router. I am running 11.1 IOS, maybe it would yield different results with a different IOS version. What IOS and platform did you see this behavior? Here's my config. Windoze PC 192.168.10.50 --- E0 Router2 192.168.10.20 RedHat PC 192.168.10.2 -------------Router config-------------- Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname C2501-R2 ! enable secret 5 XXX enable password none ! ip subnet-zero ! interface Ethernet0 ip address 192.168.10.20 255.255.255.0 ip access-group 100 in ip access-group 100 out no ip mroute-cache no ip route-cache ! interface Serial0 ip address 192.168.50.1 255.255.255.252 no ip mroute-cache encapsulation ppp no ip route-cache ! interface Serial1 no ip address no ip mroute-cache no ip route-cache shutdown ! ip classless logging buffered access-list 100 deny icmp any any access-list 100 permit ip any any ! line con 0 exec-timeout 0 0 line aux 0 transport input all line vty 0 4 exec-timeout 0 0 password XXXX login ! end -----------Router Config-------------- -----------Ping results----------------- C2501-R2#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) C2501-R2#conf t Enter configuration commands, one per line. End with CNTL/Z. C2501-R2(config)#int e0 C2501-R2(config-if)#no ip access-group 100 in C2501-R2(config-if)#no ip access-group 100 out C2501-R2(config-if)#^Z C2501-R2# %SYS-5-CONFIG_I: Configured from console by console C2501-R2#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms C2501-R2# Windoze Ping with ACL ---- C:\>ping 192.168.10.20 Pinging 192.168.10.20 with 32 bytes of data: Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Ping statistics for 192.168.10.20: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Windoze Ping without ACL ---- C:\>ping 192.168.10.20 Pinging 192.168.10.20 with 32 bytes of data: Reply from 192.168.10.20: bytes=32 time wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I know it's not what you said. What you said was obvious. I guess it comes > about because I said to test with end devices. Router A is acting like an > end device in your example. I should have been more clear. > > What is not obvious is that ACLs on Router B do not apply to pings to and > from Router B. Every newbie has probably been bitten by that one, > especially in simple labs. > > Priscilla > > At 09:42 PM 8/26/01, Brad Ellis wrote: > >Priscilla, that's not what I said. Here's what I said: > > > >"...pings sent by one router will not be filtered by another router? " > > > >Hence my diagram for further explanation: > > > >Router A -=- Router B -=- Device A > >(-=- can be ethernet x-over, serial back-to-back, etc) > > > >An ACL is applied on Router B's interface (applied inbound) that is > >connected to Router A. What I originally said, and continue to say, is that > >Router B will most certainly block packets (pings or whatever) coming from > >Router A...and it is irrelevant if Router A is a router or a host device. > >The ACL on Router B doesnt care if the device sending packets is a router or > >an end host device! > > > >If Router B was initiating the ping and Router B had the ACL applied, that > >would be a different story. > > > >ttyl, > >-Brad Ellis > >CCIE#5796 > >[EMAIL PROTECTED] > >used Cisco: www.optsys.net > > > >""Priscilla Oppenheimer"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > At 08:06 PM 8/26/01, Brad Ellis wrote: > > > >Priscilla, > > > > > > > >Are you saying that pings sent by one router will not be filtered by > >another > > > >router? I beg to differ. > > > > > > Of course not. Pings sent by the router where the ACL is configured are > >not > > > affected by the ACL. Try it. > > > > > > Priscilla > > > > > > > > > >-Brad > > > > > > > >""Priscilla Oppenheimer"" wrote in message > > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > At 06:26 PM 8/26/01, Brad Ellis wrote: > > > > > >Sami, > > > > > > > > > > > >You'll need to give more info than that. The router does not care > if > > > the > > > > > >packets are originated from a host or another router. It will > filter > > > > > >packets based on packet information, ie, source address, destination > > > > > >address, port #... > > > > > > > > > > This filtering happens as part of the packet-forwarding process. > >Packets > > > > > sent by the router (such as pings) may not go through this process. > >Sorry > > > > > that I don't have the details, but I have run into surprising results > >in > > > a > > > > > lab environment when testing access lists from a router. You need to > >test > > > > > them from end hosts. > > > > > > > > > > I can't believe I'm challenging a CCIE, ;-) but I was afraid nobody > >else > > > > > would, and I think the question bears more research. > > > > > > > > > > Priscilla > > > > > > > > > > >Are you saying the router wont filter packets originated from the > >router > > > > > >itself? How are your access-lists applied? Inbound or Outbound? > >What > > > >are > > > > > >you trying to filter? Explain your situation a little better, and > > > >include > > > > > >your access-list if you so desire. > > > > > > > > > > > >-Brad Ellis > > > > > >CCIE#5796 > > > > > >[EMAIL PROTECTED] > > > > > >used Cisco: www.optsys.net > > > > > > > > > > > >""sami natour"" wrote in message > > > > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > > > Hi All , > > > > > > > When I made standard access list I discoverd that it > > > > > > > prevented packets originated form PC's and host but > > > > > > > not packets originated from other routers.Any idea why > > > > > > > this will happen. > > > > > > > > > > > > > > Best Regards , > > > > > > > sami , > > > > > > > > > > > > > > > > > > > > > __________________________________________________ > > > > > > > Do You Yahoo!? > > > > > > > Make international calls for as low as $.04/minute with Yahoo! > > > >Messenger > > > > > > > http://phonecard.yahoo.com/ > > > > > ________________________ > > > > > > > > > > Priscilla Oppenheimer > > > > > http://www.priscilla.com > > > ________________________ > > > > > > Priscilla Oppenheimer > > > http://www.priscilla.com > ________________________ > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17361&t=17361 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]