Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ICMP echo/echo-reply and extended ACLs

I'm having a strange problem, maybe someone can help. Here's the situation:

172.17.5.0/24  --- (Vlan2134) CAT-4948-10G (Vlan2139) ---- 172.18.0.0/16

interface Vlan2134

description TDP-TECH

ip address 172.17.5.253 255.255.255.0

interface Vlan2139

ip address 172.18.0.253 255.255.0.0

ip access-group LOCKS-IN in

ip access-group LOCKS-OUT out

I have a ping running, going from 172.17.5.162 to 172.18.0.22. Everything is fine, not sure why it's truncated, though.

$ ping 172.18.0.22

PING 172.18.0.22 (172.18.0.22) 56(84) bytes of data.

40 bytes from 172.18.0.22: icmp_req=1 ttl=63 (truncated)

40 bytes from 172.18.0.22: icmp_req=2 ttl=63 (truncated)

40 bytes from 172.18.0.22: icmp_req=3 ttl=63 (truncated)

^C

--- 172.18.0.22 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2002ms

rtt min/avg/max/mdev = 2.055/2.106/2.149/0.053 ms

The ACLs are defined on the interface, but they haven't actually been configured. If my goal was to allow only these pings, and nothing else, wouldn't a reasonable ACL be something like this:

ip access-list extended LOCKS-IN

permit icmp 172.17.5.0 0.0.0.255 172.18.0.0 0.0.255.255 echo

ip access-list extended LOCKS-OUT

permit icmp 172.18.0.0 0.0.255.255 172.17.5.0 0.0.0.255 echo-reply

?

Because when I turn them on, I get this output on my ping:

40 bytes from 172.18.0.22: icmp_req=22 ttl=63 (truncated)

From 172.17.5.253 icmp_seq=36 Packet filtered

From 172.17.5.253 icmp_seq=38 Packet filtered

From 172.17.5.253 icmp_seq=43 Packet filtered

From 172.17.5.253 icmp_seq=48 Packet filtered

From 172.17.5.253 icmp_seq=53 Packet filtered

Does anybody know what's going on here?

This is the version:

Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 15.0(2)SG7, RELEASE SOFTWARE (fc2)

Thanks,

Stephan

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Green

ICMP echo/echo-reply and extended ACLs

Stephan,

I think you need to reverse your access lists

You have

ip access-list extended LOCKS-IN

permit icmp 172.17.5.0 0.0.0.255 172.18.0.0 0.0.255.255 echo

ip access-list extended LOCKS-OUT

permit icmp 172.18.0.0 0.0.255.255 172.17.5.0 0.0.0.255 echo-reply

+++++++++++++++++++++

Try

ip access-list extended LOCKS-IN

permit icmp 172.18.0.0 0.0.255.255 172.17.5.0 0.0.0.255 echo-reply

ip access-list extended LOCKS-OUT

permit icmp 172.17.5.0 0.0.0.255 172.18.0.0 0.0.255.255 echo

The packets coming IN to the vlan interface will be sourced from 17.18.0.0./16

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.
2 REPLIES
Green

ICMP echo/echo-reply and extended ACLs

Stephan,

I think you need to reverse your access lists

You have

ip access-list extended LOCKS-IN

permit icmp 172.17.5.0 0.0.0.255 172.18.0.0 0.0.255.255 echo

ip access-list extended LOCKS-OUT

permit icmp 172.18.0.0 0.0.255.255 172.17.5.0 0.0.0.255 echo-reply

+++++++++++++++++++++

Try

ip access-list extended LOCKS-IN

permit icmp 172.18.0.0 0.0.255.255 172.17.5.0 0.0.0.255 echo-reply

ip access-list extended LOCKS-OUT

permit icmp 172.17.5.0 0.0.0.255 172.18.0.0 0.0.255.255 echo

The packets coming IN to the vlan interface will be sourced from 17.18.0.0./16

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.
New Member

ICMP echo/echo-reply and extended ACLs

Not so strange, after all! Thanks Alex!

15227
Views
5
Helpful
2
Replies