10-10-2008 11:56 AM - edited 03-06-2019 01:52 AM
I just created one ACL as below for blocking ICMP except host 10.10.1.1. But that host still can't ping this interface or other hosts behind after I applied the ACL to the interface. Don't know why? I know this is a silly question:(
access-list 110 deny icmp any any
access-list 110 permit ip any any
access-list 110 permit icmp host 10.10.1.1 any
access-list 110 permit icmp host 10.10.1.1 any echo-reply
access-list 110 permit icmp host 10.10.1.1 any echo
interface Ethernet1/0
ip address 10.10.1.2 255.255.255.0
ip access-group 110 in
Solved! Go to Solution.
10-10-2008 12:00 PM
ACL's are processed line by line from the start and your first line is denying icmp from anywhere. Note that icmp on it's own covers echo and echo-reply.
You need to rewrite your access-list to
access-list 110 permit icmp host 10.10.1.1 any
access-list 110 permit icmp host 10.10.1.1 any echo-reply
access-list 110 permit icmp host 10.10.1.1 any echo
access-list 110 deny icmp any any
access-list 110 permit ip any any
Edit - should have said
the 2 lines
access-list 110 permit icmp host 10.10.1.1 any echo-reply
access-list 110 permit icmp host 10.10.1.1 any echo
are redundant because the line above
access-list 110 permit icmp host 10.10.1.1 any
covers both of the following 2 lines. If you just want to allow ping then leave in those 2 lines and remove from your access-list
access-list 110 permit icmp host 10.10.1.1 any
Jon
10-10-2008 12:19 PM
David
There is a simple explanation for your issue. The key to it is that access lists are processed one step at a time, in order, and that the first statement that is a true condition will cause the router to execute that permit or deny and not to look at anything further in the access list. And since the first statement in the list is:
access-list 110 deny icmp any any
it will deny all icmp traffic. And the statements later in the list to permit 10.10.1.1 will never execute. To fix it move the deny icmp any any to the bottom of the list.
HTH
Rick
10-14-2008 10:11 AM
Depends on what you want to achieve. Assuming you want to allow host 10.10.1.1 to ping anything outside it's vlan but then stop any other host in the same vlan as 10.10.1.1 from pinging anything then you need to apply your acl inbound on the L3 vlan interface that the host 10.10.1.1 is in.
Jon
10-10-2008 12:00 PM
ACL's are processed line by line from the start and your first line is denying icmp from anywhere. Note that icmp on it's own covers echo and echo-reply.
You need to rewrite your access-list to
access-list 110 permit icmp host 10.10.1.1 any
access-list 110 permit icmp host 10.10.1.1 any echo-reply
access-list 110 permit icmp host 10.10.1.1 any echo
access-list 110 deny icmp any any
access-list 110 permit ip any any
Edit - should have said
the 2 lines
access-list 110 permit icmp host 10.10.1.1 any echo-reply
access-list 110 permit icmp host 10.10.1.1 any echo
are redundant because the line above
access-list 110 permit icmp host 10.10.1.1 any
covers both of the following 2 lines. If you just want to allow ping then leave in those 2 lines and remove from your access-list
access-list 110 permit icmp host 10.10.1.1 any
Jon
10-10-2008 12:32 PM
It works!
I know that 2 lines are not necessary. I just added it because "access-list 110 permit icmp host 10.10.1.1 any" didn't work at that time...
Many thanks.
01-22-2020 07:36 AM
Hey Jon,
Is your statement about icmp covering both echo and echo reply, (still) valid for ip ACL extended named also?
Thanks!
10-10-2008 12:19 PM
David
There is a simple explanation for your issue. The key to it is that access lists are processed one step at a time, in order, and that the first statement that is a true condition will cause the router to execute that permit or deny and not to look at anything further in the access list. And since the first statement in the list is:
access-list 110 deny icmp any any
it will deny all icmp traffic. And the statements later in the list to permit 10.10.1.1 will never execute. To fix it move the deny icmp any any to the bottom of the list.
HTH
Rick
10-10-2008 12:33 PM
Rick
Just a quick point. If the line
access-list 110 deny icmp any any
is moved to the bottom of the access-list then no ICMP will be blocked because of the permit ip any any line. Hence the reason i reordered the ACL.
Jon
10-10-2008 12:39 PM
Jon
Point well taken. I focused on the need to move the general deny any below the more specific permits. But anything that follows permit any any does not have any effect. I should have thought more thoroughly in my response.
HTH
Rick
10-10-2008 12:51 PM
Rick
No problem, just didn't want to confuse the OP. You are one of the most precise and thoughtful people on these forums and i think the rest of us would be very happy if we were as consistent as you.
Jon
10-10-2008 01:08 PM
Jon
I share your concern that the OP not be confused and appreciate your clarification (which was spot on).
I appreciate your compliment about my participation in the forum. I do try to set a pretty high standard, and being human once in a while I fail to meeet that standard. In those instances I appreciate it when someone points out an incomplete or inconsistent aspect of my response. It all helps make the forum better.
HTH
Rick
10-14-2008 08:04 AM
But it doesn't work when I apply it to a switch port. ICMP was blocked from any IP address. Anything wrong? Thanks.
interface GigabitEthernet1/2
switchport access vlan 10
switchport mode access
ip access-group 110 in
Extended IP access list 110
10 permit icmp host 10.10.1.1 any
20 permit icmp host 10.10.1.1 any log
30 permit icmp host 10.10.1.1 any log-input
40 deny icmp any any log (7 matches)
50 deny icmp any any log-input
60 permit ip any any (1809 matches)
10-14-2008 08:15 AM
What is the subnet IP range for vlan 10 ?
Jon
10-14-2008 08:37 AM
Jon, it's 27 bits subnet.
10-14-2008 09:01 AM
Sorry i meant what is the actual address range. Reason i ask is because the acl is applied inbound so 10.10.1.1 host would have to be in vlan 10. If it isn't that is why you are not getting any matches.
Jon
10-14-2008 09:58 AM
Jon, It's my misunderstanding.
The ip range of vlan 10 is 172.16.2.x.
The switch is a layer 3 switch.Host 10.10.1.1 is on another vlan. They can ping each other without ACL.
If this way is not practicable,should I have to apply the ACL to layer3 port of this switch? or others? Thanks.
10-14-2008 10:11 AM
Depends on what you want to achieve. Assuming you want to allow host 10.10.1.1 to ping anything outside it's vlan but then stop any other host in the same vlan as 10.10.1.1 from pinging anything then you need to apply your acl inbound on the L3 vlan interface that the host 10.10.1.1 is in.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide