ACL doesn't seem to be working

Answered Question
Feb 29th, 2008

I have the following ACL on my border gateway.

access-list 120 remark Only applied to g0/0

access-list 120 remark Prevents Pings to router

access-list 120 deny icmp any any echo log

access-list 120 deny icmp any any traceroute log

access-list 120 permit icmp 66.28.3.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 66.250.250.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 130.117.19.0 0.0.0.255 host 38.38.38.150

access-list 120 permit ip any any

The hosts from the 3 networks permitted to ping don't seem to be able to do it. They keep getting destination unreachable. Anyone see what I'm doing wrong here?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 9 months ago

Hi

You need to rearrange the order of your access-list. The 3 networks you are trying to permit are getting blocked by your 2 deny lines above it. Once a line in an access-list has been matched it that is it.

You need to change order to

access-list 120 permit icmp 66.28.3.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 66.250.250.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 130.117.19.0 0.0.0.255 host 38.38.38.150

access-list 120 deny icmp any any echo log

access-list 120 deny icmp any any traceroute log

access-list 120 permit ip any any

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 02/29/2008 - 08:03

Hi

You need to rearrange the order of your access-list. The 3 networks you are trying to permit are getting blocked by your 2 deny lines above it. Once a line in an access-list has been matched it that is it.

You need to change order to

access-list 120 permit icmp 66.28.3.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 66.250.250.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 130.117.19.0 0.0.0.255 host 38.38.38.150

access-list 120 deny icmp any any echo log

access-list 120 deny icmp any any traceroute log

access-list 120 permit ip any any

HTH

Jon

Actions

This Discussion