Access lists don't apply to packets sent by the router, just packets forwarded by the router.
By the way, notice that the router is sending Dest Unreachable, Port Unreachable (ICMP type=3, code=3). This is because it's the last hop. I would have expected it to send Time Exceeded, Time to Live Exceeded first (ICMP type=11, code=0). Unless some of your output is missing, it appears that the router decremented the TTL but still sent the packet into a buffer where it got processes and rejected due to the unknown, high UDP port number. Weird, eh? Perhaps that's the right thing to do though if you're a router and the trace-route is intended for you. Otherwise you would show up in the list twice. That's just an FYI. Your problem is occuring due to the first thing I mentioned. Priscilla [EMAIL PROTECTED] wrote: > > With the following configuration I expected the router to > filter the ICMP > time to live response from R2 to R3, but the access-list is not > matching > the ICMP packets. > > > Any thoughts? > > Router 2 > > interface loop 0 > ip ad 2.2.2.2 255.255.255.255 > ! > interface Serial0.23 point-to-point > ip address 192.168.23.1 255.255.255.0 > ip access-group 100 out > no ip route-cache > frame-relay interface-dlci 123 > ! > access-list 100 deny icmp any any > ! > end > > R2#show access-lists 100 > Extended IP access list 100 > deny icmp any any (0 matches) > > > R2# > 7w1d: IP: s=192.168.23.2 (Serial0.23), d=2.2.2.2, len 28, rcvd 0 > 7w1d: UDP src=36435, dst=33434 > 7w1d: IP: s=192.168.23.1 (local), d=192.168.23.2 (Serial0.23), > len 56, sending > 7w1d: ICMP type=3, code=3 > 7w1d: IP: s=192.168.23.2 (Serial0.23), d=2.2.2.2, len 28, rcvd 0 > 7w1d: UDP src=38762, dst=33435 > 7w1d: IP: s=192.168.23.2 (Serial0.23), d=2.2.2.2, len 28, rcvd 0 > 7w1d: UDP src=33158, dst=33436 > 7w1d: IP: s=192.168.23.1 (local), d=192.168.23.2 (Serial0.23), > len 56, sending > 7w1d: ICMP type=3, code=3 > > > Router 1 > > R3#traceroute 2.2.2.2 > > Type escape sequence to abort. > Tracing the route to 2.2.2.2 > > 1 192.168.23.1 4 msec * 4 msec > R3# > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61732&t=61705 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
