05-17-2009 08:35 AM - edited 03-04-2019 04:47 AM
Hi everybody,
I tried to block any ping (ICMP) from internet to my router. i have configured the below ACLs in the router and applied it in the interface connected to internet
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any ttl-exceeded
access-list 110 permit icmp any any echo-reply
access-list 110 deny icmp any any
Applied in Interface connected to Internet as below:
interface ser 0/0
ip address 210.218.240.19
ip access-group 110 in
It is working perfectly by blocking the icmp packets destined to the router, from Internet. Also i am able to ping any public IP from the router console.
But Ironically, when i ping the own interface ser 0/0, it is showing U.U.U
I am not able to ping the self interface after applying the ACLs.
Can you please guide me what is the problem and solution
RBK
Solved! Go to Solution.
05-17-2009 10:53 AM
Hello R.B. Kumar,
as Harold has explained the following happens:
the echo-request leaves the interface and it is placed on wires, the other device on the link sends back the echo-request to your interface where it is discarded.
Because your ACL accepts echo-replies but denies echo-requests.
For this reason you cannot ping the interface itself.
This happens on serial interfaces but also on ATM interfaces.
Hope to help
Giuseppe
05-17-2009 08:59 AM
RBK,
This behavior is due to the very nature of serial interfaces. When you ping your local interface IP address the ip ICMP request travels through the serial interface to the peer and is sent back to the local router. The same thing happens with the ICMP reply message.
Regards
05-17-2009 09:42 AM
Hi Hritter,
Thanks for your answer. But please look into the ACLs, I have allowed the ech0-reply.
If this is the case, why this I am not able to ping the IP address of the Serial Interface where ACL is applied, But where as I am able to ping other public ip address in internet. (Of course they will not be able to ping my Serial Interface Serial Interface where ACL is applied because of the ACL applied in the Interface)
Thanks in advance
RBK
05-17-2009 10:53 AM
Hello R.B. Kumar,
as Harold has explained the following happens:
the echo-request leaves the interface and it is placed on wires, the other device on the link sends back the echo-request to your interface where it is discarded.
Because your ACL accepts echo-replies but denies echo-requests.
For this reason you cannot ping the interface itself.
This happens on serial interfaces but also on ATM interfaces.
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: