Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
89363
Views
30
Helpful
17
Replies

ACL for ICMP

Go to solution
David Lin
Level 1
Level 1

‎10-10-2008 11:56 AM - edited ‎03-06-2019 01:52 AM

I just created one ACL as below for blocking ICMP except host 10.10.1.1. But that host still can't ping this interface or other hosts behind after I applied the ACL to the interface. Don't know why? I know this is a silly question:(

access-list 110 deny icmp any any

access-list 110 permit ip any any

access-list 110 permit icmp host 10.10.1.1 any

access-list 110 permit icmp host 10.10.1.1 any echo-reply

access-list 110 permit icmp host 10.10.1.1 any echo

interface Ethernet1/0

ip address 10.10.1.2 255.255.255.0

ip access-group 110 in

3 people had this problem
Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-10-2008 12:00 PM

ACL's are processed line by line from the start and your first line is denying icmp from anywhere. Note that icmp on it's own covers echo and echo-reply.

You need to rewrite your access-list to

access-list 110 permit icmp host 10.10.1.1 any

access-list 110 permit icmp host 10.10.1.1 any echo-reply

access-list 110 permit icmp host 10.10.1.1 any echo

access-list 110 deny icmp any any

access-list 110 permit ip any any

Edit - should have said

the 2 lines

access-list 110 permit icmp host 10.10.1.1 any echo-reply

access-list 110 permit icmp host 10.10.1.1 any echo

are redundant because the line above

access-list 110 permit icmp host 10.10.1.1 any

covers both of the following 2 lines. If you just want to allow ping then leave in those 2 lines and remove from your access-list

access-list 110 permit icmp host 10.10.1.1 any

Jon

View solution in original post

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎10-10-2008 12:19 PM

David

There is a simple explanation for your issue. The key to it is that access lists are processed one step at a time, in order, and that the first statement that is a true condition will cause the router to execute that permit or deny and not to look at anything further in the access list. And since the first statement in the list is:

access-list 110 deny icmp any any

it will deny all icmp traffic. And the statements later in the list to permit 10.10.1.1 will never execute. To fix it move the deny icmp any any to the bottom of the list.

HTH

Rick

HTH

Rick

View solution in original post

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to David Lin

‎10-14-2008 10:11 AM

Depends on what you want to achieve. Assuming you want to allow host 10.10.1.1 to ping anything outside it's vlan but then stop any other host in the same vlan as 10.10.1.1 from pinging anything then you need to apply your acl inbound on the L3 vlan interface that the host 10.10.1.1 is in.

Jon

View solution in original post

0 Helpful
17 Replies 17

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-10-2008 12:00 PM

ACL's are processed line by line from the start and your first line is denying icmp from anywhere. Note that icmp on it's own covers echo and echo-reply.

You need to rewrite your access-list to

access-list 110 permit icmp host 10.10.1.1 any

access-list 110 permit icmp host 10.10.1.1 any echo-reply

access-list 110 permit icmp host 10.10.1.1 any echo

access-list 110 deny icmp any any

access-list 110 permit ip any any

Edit - should have said

the 2 lines

access-list 110 permit icmp host 10.10.1.1 any echo-reply

access-list 110 permit icmp host 10.10.1.1 any echo

are redundant because the line above

access-list 110 permit icmp host 10.10.1.1 any

covers both of the following 2 lines. If you just want to allow ping then leave in those 2 lines and remove from your access-list

access-list 110 permit icmp host 10.10.1.1 any

Jon

Go to solution
David Lin
Level 1
Level 1
In response to Jon Marshall

‎10-10-2008 12:32 PM

It works!

I know that 2 lines are not necessary. I just added it because "access-list 110 permit icmp host 10.10.1.1 any" didn't work at that time...

Many thanks.

0 Helpful

Go to solution
andromeda
Level 1
Level 1
In response to Jon Marshall

‎01-22-2020 07:36 AM

Hey Jon,

 

Is your statement about icmp covering both echo and echo reply, (still) valid for ip ACL extended named also?

 

Thanks!

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎10-10-2008 12:19 PM

David

There is a simple explanation for your issue. The key to it is that access lists are processed one step at a time, in order, and that the first statement that is a true condition will cause the router to execute that permit or deny and not to look at anything further in the access list. And since the first statement in the list is:

access-list 110 deny icmp any any

it will deny all icmp traffic. And the statements later in the list to permit 10.10.1.1 will never execute. To fix it move the deny icmp any any to the bottom of the list.

HTH

Rick

HTH

Rick

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Richard Burts

‎10-10-2008 12:33 PM

Rick

Just a quick point. If the line

access-list 110 deny icmp any any

is moved to the bottom of the access-list then no ICMP will be blocked because of the permit ip any any line. Hence the reason i reordered the ACL.

Jon

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎10-10-2008 12:39 PM

Jon

Point well taken. I focused on the need to move the general deny any below the more specific permits. But anything that follows permit any any does not have any effect. I should have thought more thoroughly in my response.

HTH

Rick

HTH

Rick

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Richard Burts

‎10-10-2008 12:51 PM

Rick

No problem, just didn't want to confuse the OP. You are one of the most precise and thoughtful people on these forums and i think the rest of us would be very happy if we were as consistent as you.

Jon

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎10-10-2008 01:08 PM

Jon

I share your concern that the OP not be confused and appreciate your clarification (which was spot on).

I appreciate your compliment about my participation in the forum. I do try to set a pretty high standard, and being human once in a while I fail to meeet that standard. In those instances I appreciate it when someone points out an incomplete or inconsistent aspect of my response. It all helps make the forum better.

HTH

Rick

HTH

Rick

Go to solution
David Lin
Level 1
Level 1
In response to Richard Burts

‎10-14-2008 08:04 AM

But it doesn't work when I apply it to a switch port. ICMP was blocked from any IP address. Anything wrong? Thanks.

interface GigabitEthernet1/2

switchport access vlan 10

switchport mode access

ip access-group 110 in

Extended IP access list 110

10 permit icmp host 10.10.1.1 any

20 permit icmp host 10.10.1.1 any log

30 permit icmp host 10.10.1.1 any log-input

40 deny icmp any any log (7 matches)

50 deny icmp any any log-input

60 permit ip any any (1809 matches)

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to David Lin

‎10-14-2008 08:15 AM

What is the subnet IP range for vlan 10 ?

Jon

0 Helpful

Go to solution
David Lin
Level 1
Level 1
In response to Jon Marshall

‎10-14-2008 08:37 AM

Jon, it's 27 bits subnet.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to David Lin

‎10-14-2008 09:01 AM

Sorry i meant what is the actual address range. Reason i ask is because the acl is applied inbound so 10.10.1.1 host would have to be in vlan 10. If it isn't that is why you are not getting any matches.

Jon

0 Helpful

Go to solution
David Lin
Level 1
Level 1
In response to Jon Marshall

‎10-14-2008 09:58 AM

Jon, It's my misunderstanding.

The ip range of vlan 10 is 172.16.2.x.

The switch is a layer 3 switch.Host 10.10.1.1 is on another vlan. They can ping each other without ACL.

If this way is not practicable,should I have to apply the ACL to layer3 port of this switch? or others? Thanks.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to David Lin

‎10-14-2008 10:11 AM

Depends on what you want to achieve. Assuming you want to allow host 10.10.1.1 to ping anything outside it's vlan but then stop any other host in the same vlan as 10.10.1.1 from pinging anything then you need to apply your acl inbound on the L3 vlan interface that the host 10.10.1.1 is in.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card