Re: IP extended access list question [7:4321]
Hi Hans, the echo reply is the answer packet to the echo request. so with the part of configuration that you gave, the echo request goes 'out' of interface e0. There is no outgoing access-list set, so the echo request will reach its destination. the echo reply comes from 171.21.50.2 and goes back to 171.21.10.2. although an incoming access list is set on e0, the packet does not match line 2 of your accesslist because the source of the echo reply is 171.21.50.2. hth Reinhold On Sun, 13 May 2001, Hans Stout wrote: > Hello colleagues, > > I am trying to block all IP traffic from host A to host B except for ICMP > echo replies. This is the access list I hve configured: > > access-list 100 permit icmp host 171.21.10.2 host 171.21.50.2 echo log > access-list 100 permit icmp host 171.21.10.2 host 171.21.50.2 echo-reply log > access-list 100 deny ip host 171.21.10.2 host 171.21.50.2 > > I then apply this access list as inbound to Ethernet0: > > Ethernet0 > ip address 171.21.50.1 > ip access-group 100 in > > However, when I try to ping 171.21.50.2 from 171.21.10.2, I get a no reply, > and the access list logs matches under the deny entry. I wonder if I am > missing something or might have the syntax wrong. Do you have any ideas ? > Thanks in advance for your help. > > Regards, > > Hans > _ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=4361&t=4321 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP extended access list question [7:4321]
Think you got your ip addresses the wrong way round. Guessing which is host A and which is host B. The lines below will allow 171.21.50.2 to reply to 171.21.10.2 and deny anything else. In fact the 2nd line is redundant as there is an implicit deny after it anyway. Remember you've not stopped anything going from 171.21.10.2 to 171.21.50.2 Also remember that unless you put a permit ip any any on the end, you've stopped everything else going in to Ethernet0. I take it you're just practicing with these anyway. access-list 100 permit icmp host 171.21.50.2 host 171.21.10.2 echo-reply log access-list 100 deny ip host 171.21.50.2 host 171.21.10.2 (redundant) Gaz ""Hans Stout"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello colleagues, > > I am trying to block all IP traffic from host A to host B except for ICMP > echo replies. This is the access list I hve configured: > > access-list 100 permit icmp host 171.21.10.2 host 171.21.50.2 echo log > access-list 100 permit icmp host 171.21.10.2 host 171.21.50.2 echo-reply log > access-list 100 deny ip host 171.21.10.2 host 171.21.50.2 > > I then apply this access list as inbound to Ethernet0: > > Ethernet0 > ip address 171.21.50.1 > ip access-group 100 in > > However, when I try to ping 171.21.50.2 from 171.21.10.2, I get a no reply, > and the access list logs matches under the deny entry. I wonder if I am > missing something or might have the syntax wrong. Do you have any ideas ? > Thanks in advance for your help. > > Regards, > > Hans > _ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=4329&t=4321 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IP extended access list question [7:4321]
Hello colleagues, I am trying to block all IP traffic from host A to host B except for ICMP echo replies. This is the access list I hve configured: access-list 100 permit icmp host 171.21.10.2 host 171.21.50.2 echo log access-list 100 permit icmp host 171.21.10.2 host 171.21.50.2 echo-reply log access-list 100 deny ip host 171.21.10.2 host 171.21.50.2 I then apply this access list as inbound to Ethernet0: Ethernet0 ip address 171.21.50.1 ip access-group 100 in However, when I try to ping 171.21.50.2 from 171.21.10.2, I get a no reply, and the access list logs matches under the deny entry. I wonder if I am missing something or might have the syntax wrong. Do you have any ideas ? Thanks in advance for your help. Regards, Hans _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=4321&t=4321 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
