ACL question

Answered Question
Mar 12th, 2010

Hi all,

I have applied extended ACL on my Routers Lan int fa1/0 to block pings from my Lan to any outside IP.

Here is config

interface FastEthernet1/0
ip dhcp relay information trusted
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

Here is ACL config

access-list 100 deny   icmp any any echo log-input
access-list 100 permit ip any any

Here is test results

2650xm#                                            ping 4.2.2.2*******************outside IP

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/45/48 ms


2650xm#ping 192.168.1.1*****************************IP of Lan interface of router

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
2650xm#ping 96.51.x.x*************************************************Router IP of wan interface

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 96.51.x.x , timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
2650xm#

Can someone please explain me why we are able to ping any outside IP even we have applied ACL on routers lan interface fa1/0 and we are not able to ping the router wan interface fa0/0 IP 96.x.x.x and 192.168.1.1

thanks

mahesh

Correct Answer by Jon Marshall about 6 years 11 months ago

Mahesh

You can ping any outside address because you are pinging from the router so the router will use it's WAN interface as the source IP and you haven't applied the acl there. If you want to test it properly ping an outside IP from a client on your LAN.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 03/12/2010 - 08:15

Mahesh

You can ping any outside address because you are pinging from the router so the router will use it's WAN interface as the source IP and you haven't applied the acl there. If you want to test it properly ping an outside IP from a client on your LAN.

Jon

Actions

This Discussion