Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL question

Hi all,

I have applied extended ACL on my Routers Lan int fa1/0 to block pings from my Lan to any outside IP.

Here is config

interface FastEthernet1/0
ip dhcp relay information trusted
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

Here is ACL config

access-list 100 deny   icmp any any echo log-input
access-list 100 permit ip any any

Here is test results

2650xm#                                            ping 4.2.2.2*******************outside IP

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/45/48 ms


2650xm#ping 192.168.1.1*****************************IP of Lan interface of router

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
2650xm#ping 96.51.x.x*************************************************Router IP of wan interface

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 96.51.x.x , timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
2650xm#

Can someone please explain me why we are able to ping any outside IP even we have applied ACL on routers lan interface fa1/0 and we are not able to ping the router wan interface fa0/0 IP 96.x.x.x and 192.168.1.1

thanks

mahesh

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ACL question


Mahesh

You can ping any outside address because you are pinging from the router so the router will use it's WAN interface as the source IP and you haven't applied the acl there. If you want to test it properly ping an outside IP from a client on your LAN.

Jon

2 REPLIES
Hall of Fame Super Blue

Re: ACL question


Mahesh

You can ping any outside address because you are pinging from the router so the router will use it's WAN interface as the source IP and you haven't applied the acl there. If you want to test it properly ping an outside IP from a client on your LAN.

Jon

New Member

Re: ACL question

Hi Jon,

Thanks for wonderfull explanation

thanks

mahesh

403
Views
0
Helpful
2
Replies
CreatePlease login to create content