Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
396
Views
5
Helpful
3
Replies

self icmp blocking in interface

Go to solution
hclisschennai
Level 1
Level 1

‎05-17-2009 08:35 AM - edited ‎03-04-2019 04:47 AM

Hi everybody,

I tried to block any ping (ICMP) from internet to my router. i have configured the below ACLs in the router and applied it in the interface connected to internet

access-list 110 permit icmp any any unreachable

access-list 110 permit icmp any any ttl-exceeded

access-list 110 permit icmp any any echo-reply

access-list 110 deny icmp any any

Applied in Interface connected to Internet as below:

interface ser 0/0

ip address 210.218.240.19

ip access-group 110 in

It is working perfectly by blocking the icmp packets destined to the router, from Internet. Also i am able to ping any public IP from the router console.

But Ironically, when i ping the own interface ser 0/0, it is showing U.U.U

I am not able to ping the self interface after applying the ACLs.

Can you please guide me what is the problem and solution

RBK

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to hclisschennai

‎05-17-2009 10:53 AM

Hello R.B. Kumar,

as Harold has explained the following happens:

the echo-request leaves the interface and it is placed on wires, the other device on the link sends back the echo-request to your interface where it is discarded.

Because your ACL accepts echo-replies but denies echo-requests.

For this reason you cannot ping the interface itself.

This happens on serial interfaces but also on ATM interfaces.

Hope to help

Giuseppe

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee

‎05-17-2009 08:59 AM

RBK,

This behavior is due to the very nature of serial interfaces. When you ping your local interface IP address the ip ICMP request travels through the serial interface to the peer and is sent back to the local router. The same thing happens with the ICMP reply message.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Go to solution
hclisschennai
Level 1
Level 1
In response to Harold Ritter

‎05-17-2009 09:42 AM

Hi Hritter,

Thanks for your answer. But please look into the ACLs, I have allowed the ech0-reply.

If this is the case, why this I am not able to ping the IP address of the Serial Interface where ACL is applied, But where as I am able to ping other public ip address in internet. (Of course they will not be able to ping my Serial Interface Serial Interface where ACL is applied because of the ACL applied in the Interface)

Thanks in advance

RBK

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to hclisschennai

‎05-17-2009 10:53 AM

Hello R.B. Kumar,

as Harold has explained the following happens:

the echo-request leaves the interface and it is placed on wires, the other device on the link sends back the echo-request to your interface where it is discarded.

Because your ACL accepts echo-replies but denies echo-requests.

For this reason you cannot ping the interface itself.

This happens on serial interfaces but also on ATM interfaces.

Hope to help

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card