Try making it an outbound access list only and see what happens.
I haven't played around with it much myself, but I think that the outbound
packets (originating from the router) will pass through the ACL OK.
However I think your ping replies are being blocked on the way back - I'm
not going to dig through manuals right now, but I think the ACL will be
checked and acted on before the router works out that the ping reply is for
itself.
So I think (without testing myself) that Priscilla is only half correct
with the statement "ACLs on Router B do not apply to pings to and from
Router B." - I think they apply to pings *to* router B but not *from*
router B.
JMcL
"John
Hardman" To:
[EMAIL PROTECTED]
Subject: Re: Does access list work for
router
Sent by: originated packets
[7:17357]
nobody@groups
tudy.com
27/08/2001
02:16
pm
Please
respond
to
"John
Hardman"
Hi
I can't believe I am challenging Priscilla!
I just tried what you are talking about, i.e. that the ACL on the router
does not effect the traffic generated by the router it's self.
I created an extended ACL to block all ICMP traffic and applied it to E0 as
both IN and OUT. Before appling the ACL I can ping just fine to any host on
the network and any host on the network can ping the router. After Appling
the ACL I am not able to ping from the router, or to the router.
I am running 11.1 IOS, maybe it would yield different results with a
different IOS version. What IOS and platform did you see this behavior?
Here's my config.
Windoze PC 192.168.10.50 --- E0 Router2 192.168.10.20
RedHat PC 192.168.10.2
-------------Router config--------------
Current configuration:
!
version 11.1
service udp-small-servers
service tcp-small-servers
!
hostname C2501-R2
!
enable secret 5 XXX
enable password none
!
ip subnet-zero
!
interface Ethernet0
ip address 192.168.10.20 255.255.255.0
ip access-group 100 in
ip access-group 100 out
no ip mroute-cache
no ip route-cache
!
interface Serial0
ip address 192.168.50.1 255.255.255.252
no ip mroute-cache
encapsulation ppp
no ip route-cache
!
interface Serial1
no ip address
no ip mroute-cache
no ip route-cache
shutdown
!
ip classless
logging buffered
access-list 100 deny icmp any any
access-list 100 permit ip any any
!
line con 0
exec-timeout 0 0
line aux 0
transport input all
line vty 0 4
exec-timeout 0 0
password XXXX
login
!
end
-----------Router Config--------------
-----------Ping results-----------------
C2501-R2#ping 192.168.10.50
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
C2501-R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
C2501-R2(config)#int e0
C2501-R2(config-if)#no ip access-group 100 in
C2501-R2(config-if)#no ip access-group 100 out
C2501-R2(config-if)#^Z
C2501-R2#
%SYS-5-CONFIG_I: Configured from console by console
C2501-R2#ping 192.168.10.50
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
C2501-R2#
Windoze Ping with ACL ----
C:\>ping 192.168.10.20
Pinging 192.168.10.20 with 32 bytes of data:
Reply from 192.168.10.20: Destination net unreachable.
Reply from 192.168.10.20: Destination net unreachable.
Reply from 192.168.10.20: Destination net unreachable.
Reply from 192.168.10.20: Destination net unreachable.
Ping statistics for 192.168.10.20:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Windoze Ping without ACL ----
C:\>ping 192.168.10.20
Pinging 192.168.10.20 with 32 bytes of data:
Reply from 192.168.10.20: bytes=32 time wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I know it's not what you said. What you said was obvious. I guess it
comes
> about because I said to test with end devices. Router A is acting like an
> end device in your example. I should have been more clear.
>
> What is not obvious is that ACLs on Router B do not apply to pings to and
> from Router B. Every newbie has probably been bitten by that one,
> especially in simple labs.
>
> Priscilla
>
> At 09:42 PM 8/26/01, Brad Ellis wrote:
> >Priscilla, that's not what I said. Here's what I said:
> >
> >"...pings sent by one router will not be filtered by another router? "
> >
> >Hence my diagram for further explanation:
> >
> >Router A -=- Router B -=- Device A
> >(-=- can be ethernet x-over, serial back-to-back, etc)
> >
> >An ACL is applied on Router B's interface (applied inbound) that is
> >connected to Router A. What I originally said, and continue to say, is
that
> >Router B will most certainly block packets (pings or whatever) coming
from
> >Router A...and it is irrelevant if Router A is a router or a host
device.
> >The ACL on Router B doesnt care if the device sending packets is a
router
or
> >an end host device!
> >
> >If Router B was initiating the ping and Router B had the ACL applied,
that
> >would be a different story.
> >
> >ttyl,
> >-Brad Ellis
> >CCIE#5796
> >[EMAIL PROTECTED]
> >used Cisco: www.optsys.net
> >
> >""Priscilla Oppenheimer"" wrote in message
> >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > At 08:06 PM 8/26/01, Brad Ellis wrote:
> > > >Priscilla,
> > > >
> > > >Are you saying that pings sent by one router will not be filtered by
> >another
> > > >router? I beg to differ.
> > >
> > > Of course not. Pings sent by the router where the ACL is configured
are
> >not
> > > affected by the ACL. Try it.
> > >
> > > Priscilla
> > >
> > >
> > > >-Brad
> > > >
> > > >""Priscilla Oppenheimer"" wrote in message
> > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > > At 06:26 PM 8/26/01, Brad Ellis wrote:
> > > > > >Sami,
> > > > > >
> > > > > >You'll need to give more info than that. The router does not
care
> if
> > > the
> > > > > >packets are originated from a host or another router. It will
> filter
> > > > > >packets based on packet information, ie, source address,
destination
> > > > > >address, port #...
> > > > >
> > > > > This filtering happens as part of the packet-forwarding process.
> >Packets
> > > > > sent by the router (such as pings) may not go through this
process.
> >Sorry
> > > > > that I don't have the details, but I have run into surprising
results
> >in
> > > a
> > > > > lab environment when testing access lists from a router. You need
to
> >test
> > > > > them from end hosts.
> > > > >
> > > > > I can't believe I'm challenging a CCIE, ;-) but I was afraid
nobody
> >else
> > > > > would, and I think the question bears more research.
> > > > >
> > > > > Priscilla
> > > > >
> > > > > >Are you saying the router wont filter packets originated from
the
> >router
> > > > > >itself? How are your access-lists applied? Inbound or
Outbound?
> >What
> > > >are
> > > > > >you trying to filter? Explain your situation a little better,
and
> > > >include
> > > > > >your access-list if you so desire.
> > > > > >
> > > > > >-Brad Ellis
> > > > > >CCIE#5796
> > > > > >[EMAIL PROTECTED]
> > > > > >used Cisco: www.optsys.net
> > > > > >
> > > > > >""sami natour"" wrote in message
> > > > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > > > > Hi All ,
> > > > > > > When I made standard access list I discoverd that it
> > > > > > > prevented packets originated form PC's and host but
> > > > > > > not packets originated from other routers.Any idea why
> > > > > > > this will happen.
> > > > > > >
> > > > > > > Best Regards ,
> > > > > > > sami ,
> > > > > > >
> > > > > > >
> > > > > > > __________________________________________________
> > > > > > > Do You Yahoo!?
> > > > > > > Make international calls for as low as $.04/minute with
Yahoo!
> > > >Messenger
> > > > > > > http://phonecard.yahoo.com/
> > > > > ________________________
> > > > >
> > > > > Priscilla Oppenheimer
> > > > > http://www.priscilla.com
> > > ________________________
> > >
> > > Priscilla Oppenheimer
> > > http://www.priscilla.com
> ________________________
>
> Priscilla Oppenheimer
> http://www.priscilla.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17361&t=17361
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
