Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6427
Views
0
Helpful
5
Replies

command access-list 102 deny icmp any any echo

Go to solution
mahesh18
Level 6
Level 6

‎10-03-2010 08:03 PM - edited ‎03-06-2019 01:17 PM

Hi all,

i have applied ---

access-list 102 deny   icmp any any echo

access-list 102 permit ip any any

on my wan int of router.now when i ping my network from outside i get result

ping 96.51.x.x

Pinging 96.51.x.x with 32 bytes of data:

Reply from 96.51.x.x: Destination net unreachable.
Reply from 96.51.x.x: Destination net unreachable.
Reply from 96.51.x.x: Destination net unreachable.
Reply from 96.51.x.x: Destination net unreachable.

Ping statistics for 96.51.x.x:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

My question is when we ping some device we send echo request to that device and if we can reach that device then we get echo reply back from that

device to us.

as per my understanding here when i send 4 packets to router ip 96.51.x.x.  then router reply me by Reply from 96.51.x.x: Destination net unreachable.

saying that it received my packet but as i have done the config  access-list 102 deny   icmp any any echo  it do not send !!.

i have zero packet loss.

let me know please if i am wrong here or not?

thanks

mahesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mahesh Gohil
Level 7
Level 7
In response to danrya

‎10-03-2010 09:37 PM

Hi mahesh:

also what is difference between receiving reply from a gateway and host?

It means if you are pinging some host behind router and assume that host is not reachable from router then your router will reply

that destination unreachable. here the IP in your ping command and the reply IP will be different.

if both IP is same then this reply is from end host.

hope this is clear to you

Regards

Mahesh

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mahesh Gohil
Level 7
Level 7

‎10-03-2010 08:33 PM

Hi Mahesh,

Yes ou understand correctly. You can expect below reasons under destination unreachable.

0 = net unreachable;
1 = host unreachable;
2 = protocol unreachable;
3 = port unreachable;
4 = fragmentation needed and DF set;
5 = source route failed.

where

Codes 0, 1, 4, and 5 may be received from a gateway.

Codes 2 and  3 may be received from a host.

As you can see in your case it is net unreachable so I request you to verify the ip returned in "Reply from x.x.x.x" with the IP you used in ping command as this output could be replied by your gateway also.

also you can see counters increased in your access-list to verify that your ping packet is hitting your access list or not

Regards

mahesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Mahesh Gohil

‎10-03-2010 08:48 PM

hi,

when i did ping again here is result

i ping 4 packets

here is result from router

2650xm#sh access-lists 102
Extended IP access list 102
    10 deny icmp any any echo (764 matches)
    20 permit ip any any (74156 matches)
2650xm#sh access-lists 102
Extended IP access list 102
    10 deny icmp any any echo (765 matches)
    20 permit ip any any (74168 matches)
2650xm#sh access-lists 102
Extended IP access list 102
    10 deny icmp any any echo (765 matches)
    20 permit ip any any (74180 matches)
2650xm#sh access-lists 102
Extended IP access list 102
    10 deny icmp any any echo (766 matches)
    20 permit ip any any (74207 matches)
2650xm#sh access-lists 102
Extended IP access list 102
    10 deny icmp any any echo (766 matches)
    20 permit ip any any (74225 matches)
2650xm#sh access-lists 102
Extended IP access list 102
    10 deny icmp any any echo (766 matches)
    20 permit ip any any (74243 matches)
2650xm#sh access-lists 102
Extended IP access list 102
    10 deny icmp any any echo (766 matches)
    20 permit ip any any (74258 matches)


so we can see the packtes are reaching the ACL so it means we are getitng reply from the 2650XM router right?

so here 2650xm as per your note is gateway right ?

also what is difference between receiving reply from a gateway and host?

other thing i want to know is when i config the command  access-list 102 deny   icmp any any echo reply

then i get the request time out ..... saying send 4 packets received 0   and lost 4.

so this means that my echo packet is reaching the destination router but destination router is blocked for echo reply and it is sending .....

also here when we see the received 0 it means my pc received 0 packet from 96.x.x.x router right?

many thanks

mahesh

0 Helpful

Go to solution
danrya
Level 1
Level 1

‎10-03-2010 08:42 PM

As the other user said, yes.  If you don't want the message sent back, you can use "no ip unreachables" under the interface.

Dan

0 Helpful

Go to solution
Mahesh Gohil
Level 7
Level 7
In response to danrya

‎10-03-2010 09:37 PM

Hi mahesh:

also what is difference between receiving reply from a gateway and host?

It means if you are pinging some host behind router and assume that host is not reachable from router then your router will reply

that destination unreachable. here the IP in your ping command and the reply IP will be different.

if both IP is same then this reply is from end host.

hope this is clear to you

Regards

Mahesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Mahesh Gohil

‎10-04-2010 11:00 AM

Thanks a lot MAhesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card