Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL doesn't seem to be working

I have the following ACL on my border gateway.

access-list 120 remark Only applied to g0/0

access-list 120 remark Prevents Pings to router

access-list 120 deny icmp any any echo log

access-list 120 deny icmp any any traceroute log

access-list 120 permit icmp 66.28.3.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 66.250.250.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 130.117.19.0 0.0.0.255 host 38.38.38.150

access-list 120 permit ip any any

The hosts from the 3 networks permitted to ping don't seem to be able to do it. They keep getting destination unreachable. Anyone see what I'm doing wrong here?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ACL doesn't seem to be working

Hi

You need to rearrange the order of your access-list. The 3 networks you are trying to permit are getting blocked by your 2 deny lines above it. Once a line in an access-list has been matched it that is it.

You need to change order to

access-list 120 permit icmp 66.28.3.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 66.250.250.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 130.117.19.0 0.0.0.255 host 38.38.38.150

access-list 120 deny icmp any any echo log

access-list 120 deny icmp any any traceroute log

access-list 120 permit ip any any

HTH

Jon

1 REPLY
Hall of Fame Super Blue

Re: ACL doesn't seem to be working

Hi

You need to rearrange the order of your access-list. The 3 networks you are trying to permit are getting blocked by your 2 deny lines above it. Once a line in an access-list has been matched it that is it.

You need to change order to

access-list 120 permit icmp 66.28.3.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 66.250.250.0 0.0.0.255 host 38.38.38.150

access-list 120 permit icmp 130.117.19.0 0.0.0.255 host 38.38.38.150

access-list 120 deny icmp any any echo log

access-list 120 deny icmp any any traceroute log

access-list 120 permit ip any any

HTH

Jon

122
Views
0
Helpful
1
Replies