At 08:38 AM 8/27/01, Ednilson Rosa wrote: >Yes, that's right! I have a configuration where I set up an ACL to >completely filter telnet FROM and TO a certain network connected to it. I >applied the ACL both inbound and outbound on an Ethernet interface. Done >this, no one could telnet my router or any host on that Ethernet segment >passing through my router. But I WAS ABLE to telnet any host on that segment >as long as I originated the telnet from the router itself! Ah hah! ;-) This is the type of anomaly that I'm talking about. I know I need to test it, but I don't have time right now.... It sounds like the bottom line is that output traffic from the router itself does not actually go through the ACL. Pings may still fail, however, if the Ping reply does go through an ACL that blocks it. Telnet from the router does not go through the ACL either. The replies may get through, depending on the ACL, as Ednilson describes below. In the classroom, our students get confused by this. They set up an ACL and test from the router where the ACL is configured and the ACL doesn't block traffic as expected. If I'm still off base, just let me know. I don't mind at all! ;-) Priscilla > From which you >may conclude that an ACL doesn't affect packets originated on the router on >which it is applied... > >Regards, > >Ednilson Rosa > >----- Original Message ----- >From: "John Hardman" >To: >Sent: Monday, August 27, 2001 1:16 AM >Subject: Re: Does access list work for router originated packets [7:17357] > > >Hi > >I can't believe I am challenging Priscilla! > >I just tried what you are talking about, i.e. that the ACL on the router >does not effect the traffic generated by the router it's self. > >I created an extended ACL to block all ICMP traffic and applied it to E0 as >both IN and OUT. Before appling the ACL I can ping just fine to any host on >the network and any host on the network can ping the router. After Appling >the ACL I am not able to ping from the router, or to the router. > >I am running 11.1 IOS, maybe it would yield different results with a >different IOS version. What IOS and platform did you see this behavior? > >Here's my config. > >Windoze PC 192.168.10.50 --- E0 Router2 192.168.10.20 >RedHat PC 192.168.10.2 > >-------------Router config-------------- >Current configuration: >! >version 11.1 >service udp-small-servers >service tcp-small-servers >! >hostname C2501-R2 >! >enable secret 5 XXX >enable password none >! >ip subnet-zero >! >interface Ethernet0 > ip address 192.168.10.20 255.255.255.0 > ip access-group 100 in > ip access-group 100 out > no ip mroute-cache > no ip route-cache >! >interface Serial0 > ip address 192.168.50.1 255.255.255.252 > no ip mroute-cache > encapsulation ppp > no ip route-cache >! >interface Serial1 > no ip address > no ip mroute-cache > no ip route-cache > shutdown >! >ip classless >logging buffered >access-list 100 deny icmp any any >access-list 100 permit ip any any >! >line con 0 > exec-timeout 0 0 >line aux 0 > transport input all >line vty 0 4 > exec-timeout 0 0 > password XXXX > login >! >end > >-----------Router Config-------------- > >-----------Ping results----------------- > >C2501-R2#ping 192.168.10.50 > >Type escape sequence to abort. >Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: >..... >Success rate is 0 percent (0/5) >C2501-R2#conf t >Enter configuration commands, one per line. End with CNTL/Z. >C2501-R2(config)#int e0 >C2501-R2(config-if)#no ip access-group 100 in >C2501-R2(config-if)#no ip access-group 100 out >C2501-R2(config-if)#^Z >C2501-R2# >%SYS-5-CONFIG_I: Configured from console by console >C2501-R2#ping 192.168.10.50 > >Type escape sequence to abort. >Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: >!!!!! >Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms >C2501-R2# > >Windoze Ping with ACL ---- >C:\>ping 192.168.10.20 > >Pinging 192.168.10.20 with 32 bytes of data: > >Reply from 192.168.10.20: Destination net unreachable. >Reply from 192.168.10.20: Destination net unreachable. >Reply from 192.168.10.20: Destination net unreachable. >Reply from 192.168.10.20: Destination net unreachable. > >Ping statistics for 192.168.10.20: > Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), >Approximate round trip times in milli-seconds: > Minimum = 0ms, Maximum = 0ms, Average = 0ms > >Windoze Ping without ACL ---- > >C:\>ping 192.168.10.20 > >Pinging 192.168.10.20 with 32 bytes of data: > >Reply from 192.168.10.20: bytes=32 time wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I know it's not what you said. What you said was obvious. I guess it comes > > about because I said to test with end devices. Router A is acting like an > > end device in your example. I should have been more clear. > > > > What is not obvious is that ACLs on Router B do not apply to pings to and > > from Router B. Every newbie has probably been bitten by that one, > > especially in simple labs. > > > > Priscilla > > > > At 09:42 PM 8/26/01, Brad Ellis wrote: > > >Priscilla, that's not what I said. Here's what I said: > > > > > >"...pings sent by one router will not be filtered by another router? " > > > > > >Hence my diagram for further explanation: > > > > > >Router A -=- Router B -=- Device A > > >(-=- can be ethernet x-over, serial back-to-back, etc) > > > > > >An ACL is applied on Router B's interface (applied inbound) that is > > >connected to Router A. What I originally said, and continue to say, is >that > > >Router B will most certainly block packets (pings or whatever) coming >from > > >Router A...and it is irrelevant if Router A is a router or a host device. > > >The ACL on Router B doesnt care if the device sending packets is a router >or > > >an end host device! > > > > > >If Router B was initiating the ping and Router B had the ACL applied, >that > > >would be a different story. > > > > > >ttyl, > > >-Brad Ellis > > >CCIE#5796 > > >[EMAIL PROTECTED] > > >used Cisco: www.optsys.net > > > > > >""Priscilla Oppenheimer"" wrote in message > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > At 08:06 PM 8/26/01, Brad Ellis wrote: > > > > >Priscilla, > > > > > > > > > >Are you saying that pings sent by one router will not be filtered by > > >another > > > > >router? I beg to differ. > > > > > > > > Of course not. Pings sent by the router where the ACL is configured >are > > >not > > > > affected by the ACL. Try it. > > > > > > > > Priscilla > > > > > > > > > > > > >-Brad > > > > > > > > > >""Priscilla Oppenheimer"" wrote in message > > > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > > At 06:26 PM 8/26/01, Brad Ellis wrote: > > > > > > >Sami, > > > > > > > > > > > > > >You'll need to give more info than that. The router does not >care > > if > > > > the > > > > > > >packets are originated from a host or another router. It will > > filter > > > > > > >packets based on packet information, ie, source address, >destination > > > > > > >address, port #... > > > > > > > > > > > > This filtering happens as part of the packet-forwarding process. > > >Packets > > > > > > sent by the router (such as pings) may not go through this >process. > > >Sorry > > > > > > that I don't have the details, but I have run into surprising >results > > >in > > > > a > > > > > > lab environment when testing access lists from a router. You need >to > > >test > > > > > > them from end hosts. > > > > > > > > > > > > I can't believe I'm challenging a CCIE, ;-) but I was afraid >nobody > > >else > > > > > > would, and I think the question bears more research. > > > > > > > > > > > > Priscilla > > > > > > > > > > > > >Are you saying the router wont filter packets originated from the > > >router > > > > > > >itself? How are your access-lists applied? Inbound or Outbound? > > >What > > > > >are > > > > > > >you trying to filter? Explain your situation a little better, >and > > > > >include > > > > > > >your access-list if you so desire. > > > > > > > > > > > > > >-Brad Ellis > > > > > > >CCIE#5796 > > > > > > >[EMAIL PROTECTED] > > > > > > >used Cisco: www.optsys.net > > > > > > > > > > > > > >""sami natour"" wrote in message > > > > > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > > > > Hi All , > > > > > > > > When I made standard access list I discoverd that it > > > > > > > > prevented packets originated form PC's and host but > > > > > > > > not packets originated from other routers.Any idea why > > > > > > > > this will happen. > > > > > > > > > > > > > > > > Best Regards , > > > > > > > > sami , > > > > > > > > > > > > > > > > > > > > > > > > __________________________________________________ > > > > > > > > Do You Yahoo!? > > > > > > > > Make international calls for as low as $.04/minute with Yahoo! > > > > >Messenger > > > > > > > > http://phonecard.yahoo.com/ > > > > > > ________________________ > > > > > > > > > > > > Priscilla Oppenheimer > > > > > > http://www.priscilla.com > > > > ________________________ > > > > > > > > Priscilla Oppenheimer > > > > http://www.priscilla.com > > ________________________ > > > > Priscilla Oppenheimer > > http://www.priscilla.com ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17416&t=17416 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
