Question about ACLs

Neuromancer · ‎04-02-2007

I have a couple of questions about this simple ACL:

access-list 101 permit ip host 192.168.1.1 any

1) Will this ACL block ICMP requests coming from any hosts other than 192.168.1.1 (because of the implicit deny any any)?

2) If this ACL is implemented outbound on an interface, it will supposedly block any "pass-through" traffic not sourced from 192.168.1.1. Therefore ICMP requests sourced from 192.168.1.1 to a remote host through the ACL will be permitted. This outbound ACL should not have any effect on the ICMP replies coming back through the interface (no inbound ACLs applied), so ICMP replies will be successfully received by 192.168.1.1, right?

I had a scenario where icmp replies weren't being recieved, and debugs on the downstream router said that the replies were being "administraivly prohibited", even though there weren't any inbound ACLs on the local router. (Also no ACLS on the downstream) I don't understand why this happened?

Is this a new IOS feature or something (using 12.4)? Any help is appreciated!

Jon Marshall · ‎04-02-2007

Hi Christopher

1) Yes it will.

2) Yes you are right, the outbound acl should have no effect on the returning packets. Unless you are using stateful technology eg CBAC on routers then the ICMP replies would be allowed through. I am not aware of any changes in 12.4 that would change this behaviour.

HTH

Jon

rajinikanth · ‎04-03-2007

Hi ,

To block icmp try to use more precise command instead of permit and deny entire IP protocol.

Example:

access-list 101 permit icmp host 192.168.1.1 any echo (for ping)

access-list 101 permit icmp host 192.168.1.1 any echo-reply (for ping reply)

HTH

Raj