ACL question

Answered Question
Mar 12th, 2010
User Badges:

Hi all,


I have applied extended ACL on my Routers Lan int fa1/0 to block pings from my Lan to any outside IP.


Here is config


interface FastEthernet1/0
ip dhcp relay information trusted
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto


Here is ACL config


access-list 100 deny   icmp any any echo log-input
access-list 100 permit ip any any


Here is test results



2650xm#                                            ping 4.2.2.2*******************outside IP

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/45/48 ms


2650xm#ping 192.168.1.1*****************************IP of Lan interface of router

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
2650xm#ping 96.51.x.x*************************************************Router IP of wan interface

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 96.51.x.x , timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
2650xm#



Can someone please explain me why we are able to ping any outside IP even we have applied ACL on routers lan interface fa1/0 and we are not able to ping the router wan interface fa0/0 IP 96.x.x.x and 192.168.1.1



thanks

mahesh

Correct Answer by Jon Marshall about 7 years 3 months ago

Mahesh


You can ping any outside address because you are pinging from the router so the router will use it's WAN interface as the source IP and you haven't applied the acl there. If you want to test it properly ping an outside IP from a client on your LAN.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 03/12/2010 - 08:15
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Mahesh


You can ping any outside address because you are pinging from the router so the router will use it's WAN interface as the source IP and you haven't applied the acl there. If you want to test it properly ping an outside IP from a client on your LAN.


Jon

mahesh18 Fri, 03/12/2010 - 09:10
User Badges:

Hi Jon,


Thanks for wonderfull explanation


thanks


mahesh

Actions

This Discussion