04-02-2007 10:58 PM - edited 03-05-2019 03:15 PM
I have a couple of questions about this simple ACL:
access-list 101 permit ip host 192.168.1.1 any
1) Will this ACL block ICMP requests coming from any hosts other than 192.168.1.1 (because of the implicit deny any any)?
2) If this ACL is implemented outbound on an interface, it will supposedly block any "pass-through" traffic not sourced from 192.168.1.1. Therefore ICMP requests sourced from 192.168.1.1 to a remote host through the ACL will be permitted. This outbound ACL should not have any effect on the ICMP replies coming back through the interface (no inbound ACLs applied), so ICMP replies will be successfully received by 192.168.1.1, right?
I had a scenario where icmp replies weren't being recieved, and debugs on the downstream router said that the replies were being "administraivly prohibited", even though there weren't any inbound ACLs on the local router. (Also no ACLS on the downstream) I don't understand why this happened?
Is this a new IOS feature or something (using 12.4)? Any help is appreciated!
04-02-2007 11:13 PM
Hi Christopher
1) Yes it will.
2) Yes you are right, the outbound acl should have no effect on the returning packets. Unless you are using stateful technology eg CBAC on routers then the ICMP replies would be allowed through. I am not aware of any changes in 12.4 that would change this behaviour.
HTH
Jon
04-03-2007 01:33 AM
Hi ,
To block icmp try to use more precise command instead of permit and deny entire IP protocol.
Example:
access-list 101 permit icmp host 192.168.1.1 any echo (for ping)
access-list 101 permit icmp host 192.168.1.1 any echo-reply (for ping reply)
HTH
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide