You can use a local policy route to get packets generated by the router to go through an ACL. Not as straight forward but... --- "[EMAIL PROTECTED]" wrote: > Try making it an outbound access list only and see > what happens. > I haven't played around with it much myself, but I > think that the outbound > packets (originating from the router) will pass > through the ACL OK. > However I think your ping replies are being blocked > on the way back - I'm > not going to dig through manuals right now, but I > think the ACL will be > checked and acted on before the router works out > that the ping reply is for > itself. > So I think (without testing myself) that Priscilla > is only half correct > with the statement "ACLs on Router B do not apply to > pings to and from > Router B." - I think they apply to pings *to* router > B but not *from* > router B. > > JMcL > > > > > > "John > Hardman" To: > [EMAIL PROTECTED] > Subject: Re: Does > access list work for > router > Sent by: originated > packets > [7:17357] > > nobody@groups > > tudy.com > > > > > > 27/08/2001 > 02:16 > pm > > Please > respond > to > > "John > > Hardman" > > > > > > > > > Hi > > I can't believe I am challenging Priscilla! > > I just tried what you are talking about, i.e. that > the ACL on the router > does not effect the traffic generated by the router > it's self. > > I created an extended ACL to block all ICMP traffic > and applied it to E0 as > both IN and OUT. Before appling the ACL I can ping > just fine to any host on > the network and any host on the network can ping the > router. After Appling > the ACL I am not able to ping from the router, or to > the router. > > I am running 11.1 IOS, maybe it would yield > different results with a > different IOS version. What IOS and platform did you > see this behavior? > > Here's my config. > > Windoze PC 192.168.10.50 --- E0 Router2 > 192.168.10.20 > RedHat PC 192.168.10.2 > > -------------Router config-------------- > Current configuration: > ! > version 11.1 > service udp-small-servers > service tcp-small-servers > ! > hostname C2501-R2 > ! > enable secret 5 XXX > enable password none > ! > ip subnet-zero > ! > interface Ethernet0 > ip address 192.168.10.20 255.255.255.0 > ip access-group 100 in > ip access-group 100 out > no ip mroute-cache > no ip route-cache > ! > interface Serial0 > ip address 192.168.50.1 255.255.255.252 > no ip mroute-cache > encapsulation ppp > no ip route-cache > ! > interface Serial1 > no ip address > no ip mroute-cache > no ip route-cache > shutdown > ! > ip classless > logging buffered > access-list 100 deny icmp any any > access-list 100 permit ip any any > ! > line con 0 > exec-timeout 0 0 > line aux 0 > transport input all > line vty 0 4 > exec-timeout 0 0 > password XXXX > login > ! > end > > -----------Router Config-------------- > > -----------Ping results----------------- > > C2501-R2#ping 192.168.10.50 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echoes to 192.168.10.50, > timeout is 2 seconds: > ..... > Success rate is 0 percent (0/5) > C2501-R2#conf t > Enter configuration commands, one per line. End > with CNTL/Z. > C2501-R2(config)#int e0 > C2501-R2(config-if)#no ip access-group 100 in > C2501-R2(config-if)#no ip access-group 100 out > C2501-R2(config-if)#^Z > C2501-R2# > %SYS-5-CONFIG_I: Configured from console by console > C2501-R2#ping 192.168.10.50 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echoes to 192.168.10.50, > timeout is 2 seconds: > !!!!! > Success rate is 100 percent (5/5), round-trip > min/avg/max = 1/2/4 ms > C2501-R2# > > Windoze Ping with ACL ---- > C:\>ping 192.168.10.20 > > Pinging 192.168.10.20 with 32 bytes of data: > > Reply from 192.168.10.20: Destination net > unreachable. > Reply from 192.168.10.20: Destination net > unreachable. > Reply from 192.168.10.20: Destination net > unreachable. > Reply from 192.168.10.20: Destination net > unreachable. > > Ping statistics for 192.168.10.20: > Packets: Sent = 4, Received = 4, Lost = 0 (0% > loss), > Approximate round trip times in milli-seconds: > Minimum = 0ms, Maximum = 0ms, Average = 0ms > > Windoze Ping without ACL ---- > > C:\>ping 192.168.10.20 > > Pinging 192.168.10.20 with 32 bytes of data: > > Reply from 192.168.10.20: bytes=32 time wrote in > message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I know it's not what you said. What you said was > obvious. I guess it > comes > > about because I said to test with end devices. > Router A is acting like an > > end device in your example. I should have been > more clear. > > > > What is not obvious is that ACLs on Router B do > not apply to pings to and > > from Router B. Every newbie has probably been > bitten by that one, > > especially in simple labs. > > > > Priscilla > > > > At 09:42 PM 8/26/01, Brad Ellis wrote: > > >Priscilla, that's not what I said. Here's what I > said: > > > > > >"...pings sent by one router will not be filtered > by another router? " > > > > > >Hence my diagram for further explanation: > > > > > >Router A -=- Router B -=- Device A > > >(-=- can be ethernet x-over, serial back-to-back, > etc) > > > > > >An ACL is applied on Router B's interface > (applied inbound) that is > > >connected to Router A. What I originally said, > and continue to say, is > that > > >Router B will most certainly block packets (pings > or whatever) coming > from > > >Router A...and it is irrelevant if Router A is a > router or a host > device. > > >The ACL on Router B doesnt care if the device > sending packets is a > router > or > > >an end host device! > > > > > >If Router B was initiating the ping and Router B > had the ACL applied, > that > > >would be a different story. > > > > > >ttyl, > > >-Brad Ellis > > >CCIE#5796 > > >[EMAIL PROTECTED] > > >used Cisco: www.optsys.net > > > > > >""Priscilla Oppenheimer"" wrote in message > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > At 08:06 PM 8/26/01, Brad Ellis wrote: > > > > >Priscilla, > > > > > > > > > >Are you saying that pings sent by one router > will not be filtered by > > >another > > > > >router? I beg to differ. > > > > > > > > Of course not. Pings sent by the router where > the ACL is configured > are > > >not > > > > affected by the ACL. Try it. > > > > > > > > Priscilla > > > > > > > > > > > > >-Brad > > > > > > > > > >""Priscilla Oppenheimer"" wrote in message > > > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > > At 06:26 PM 8/26/01, Brad Ellis wrote: > > > > > > >Sami, > > > > > > > > > > > > > >You'll need to give more info than that. > The router does not > care > > if > > > > the > > > > > > >packets are originated from a host or > another router. It will > > filter > > > > > > >packets based on packet information, ie, > source address, > destination > > > > > > >address, port #... > > > > > > > > > > > > This filtering happens as part of the > packet-forwarding process. > > >Packets > > > > > > sent by the router (such as pings) may not > go through this > process. > > >Sorry > > > > > > that I don't have the details, but I have > run into surprising > results > > >in > > > > a > > > > > > lab environment when testing access lists > from a router. You need > to > > >test > > > > > > them from end hosts. > > > > > > > > > > > > I can't believe I'm challenging a CCIE, > ;-) but I was afraid > nobody > > >else > > > > > > would, and I think the question bears more > research. > > > > > > > > > > > > Priscilla > > > > > > > > > > > > >Are you saying the router wont filter > packets originated from > the > > >router > > > > > > >itself? How are your access-lists > applied? Inbound or > Outbound? > > >What > > > > >are > > > > > > >you trying to filter? Explain your > situation a little better, > and > > > > >include > > > > > > >your access-list if you so desire. > > > > > > > > > > > > > >-Brad Ellis > > > > > > >CCIE#5796 > > > > > > >[EMAIL PROTECTED] > > > > > > >used Cisco: www.optsys.net > > > > > > > > > > > > > >""sami natour"" wrote in message > > > > > > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > > > > Hi All , > > > > > > > > When I made standard access list I > discoverd that it > > > > > > > > prevented packets originated form > PC's and host but > > > > > > > > not packets originated from other > routers.Any idea why > > > > > > > > this will happen. > > > > > > > > > > > > > > > > Best Regards , > > > > > > > > sami , > > > > > > > > > > > > > > > > > > > > > > > > > __________________________________________________ > > > > > > > > Do You Yahoo!? > > > > > > > > Make international calls for as low as > $.04/minute with > Yahoo! > > > > >Messenger > > > > > > > > http://phonecard.yahoo.com/ > > > > > > ________________________ > > > > > > > > > > > > Priscilla Oppenheimer > > > > > > http://www.priscilla.com > > > > ________________________ > > > > > > > > Priscilla Oppenheimer > > > > http://www.priscilla.com > > ________________________ > > > > Priscilla Oppenheimer > > http://www.priscilla.com [EMAIL PROTECTED] __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17365&t=17365 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
