Solved: Output from debug ip packet

mahesh18 · ‎10-15-2010

hi all,

here is output from ACL 110

2650XM#debug ip packet 110 de
2650XM#debug ip packet 110 detail
IP packet debugging is on (detailed) for access list 110
2650XM#ping 4.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/51/56 ms

2650XM#
Oct 13 14:00:16.220 MST: IP: tableid=0, s=96.51.x.x (local), d=4.2.2.2 (FastEthernet0/0), routed via FIB
Oct 13 14:00:16.220 MST: IP: s=96.51.x.x (local), d=4.2.2.2 (FastEthernet0/0), len 100, sending
Oct 13 14:00:16.224 MST:     ICMP type=8, code=0
Oct 13 14:00:16.272 MST: IP: tableid=0, s=96.51.x.x(local), d=4.2.2.2 (FastEthernet0/0), routed via FIB
Oct 13 14:00:16.272 MST: IP: s=96.51.x.x(local), d=4.2.2.2 (FastEthernet0/0), len 100, sending
Oct 13 14:00:16.272 MST:     ICMP type=8, code=0
Oct 13 14:00:16.324 MST: IP: tableid=0, s=96.51.x.x(local), d=4.2.2.2 (FastEthernet0/0), routed via FIB
2650XM#
Oct 13 14:00:16.324 MST: IP: s=96.51.x.x(local), d=4.2.2.2 (FastEthernet0/0), len 100, sending
Oct 13 14:00:16.324 MST:     ICMP type=8, code=0
Oct 13 14:00:16.376 MST: IP: tableid=0, s=96.51.x.x(local), d=4.2.2.2 (FastEthernet0/0), routed via FIB
Oct 13 14:00:16.376 MST: IP: s=96.51.x.x(local), d=4.2.2.2 (FastEthernet0/0), len 100, sending
Oct 13 14:00:16.376 MST:     ICMP type=8, code=0
Oct 13 14:00:16.428 MST: IP: tableid=0, s=96.51.x.x(local), d=4.2.2.2 (FastEthernet0/0), routed via FIB
Oct 13 14:00:16.428 MST: IP: s=96.51.x.x (local), d=4.2.2.2 (FastEthernet0/0), len 100, sending
Oct 13 14:00:16.428 MST:     ICMP type=8, code=0

config of acl 110

access-list 110 permit icmp host 96.51.x.x.176 host 4.2.2.2

it is applied to interface

Building configuration...

Current configuration : 271 bytes
!
interface FastEthernet0/0
description WAN Connection to ISP modem
ip address dhcp
ip access-group 110 out

My question is that when we ping some ip we send echo and get back echo reply from that IP but here as per debug we see all the pings from source ip 96..x.x.x. to destination which is 4.2.2.2.

if someone can explain me the out put of above debug please?

thanks

mahesh

Jon Marshall · ‎10-15-2010

Mahesh

Yes, you would need to add another line to your acl 110 ie.

access-list 110 permit icmp host 96.51.x.x.176 host 4.2.2.2

access-list 110 permit icmp host 4.2.2.2 host 96.51.x.x

Jon

View solution in original post

Jon Marshall · ‎10-15-2010


mahesh18 wrote:
hi all,
here is output from ACL  110
2650XM#debug ip packet 110 de
2650XM#debug ip packet 110 detail
IP packet debugging is on (detailed) for access list 110
2650XM#ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/51/56 ms
2650XM#
Oct 13 14:00:16.220 MST: IP: tableid=0, s=96.51.x.x (local), d=4.2.2.2 (FastEthernet0/0), routed via FIB
Oct 13 14:00:16.220 MST: IP: s=96.51.x.x (local), d=4.2.2.2 (FastEthernet0/0), len 100, sending
Oct 13 14:00:16.224 MST:     ICMP type=8, code=0
Oct 13 14:00:16.272 MST: IP: tableid=0, s=96.51.x.x(local), d=4.2.2.2 (FastEthernet0/0), routed via FIB
Oct 13 14:00:16.272 MST: IP: s=96.51.x.x(local), d=4.2.2.2 (FastEthernet0/0), len 100, sending
Oct 13 14:00:16.272 MST:     ICMP type=8, code=0
Oct 13 14:00:16.324 MST: IP: tableid=0, s=96.51.x.x(local), d=4.2.2.2 (FastEthernet0/0), routed via FIB
2650XM#
Oct 13 14:00:16.324 MST: IP: s=96.51.x.x(local), d=4.2.2.2 (FastEthernet0/0), len 100, sending
Oct 13 14:00:16.324 MST:     ICMP type=8, code=0
Oct 13 14:00:16.376 MST: IP: tableid=0, s=96.51.x.x(local), d=4.2.2.2 (FastEthernet0/0), routed via FIB
Oct 13 14:00:16.376 MST: IP: s=96.51.x.x(local), d=4.2.2.2 (FastEthernet0/0), len 100, sending
Oct 13 14:00:16.376 MST:     ICMP type=8, code=0
Oct 13 14:00:16.428 MST: IP: tableid=0, s=96.51.x.x(local), d=4.2.2.2 (FastEthernet0/0), routed via FIB
Oct 13 14:00:16.428 MST: IP: s=96.51.x.x (local), d=4.2.2.2 (FastEthernet0/0), len 100, sending
Oct 13 14:00:16.428 MST:     ICMP type=8, code=0
config of acl 110
access-list 110 permit icmp host 96.51.128.176 host 4.2.2.2
it is applied to interface
Building configuration...
Current configuration : 271 bytes
!
interface FastEthernet0/0
description WAN Connection to ISP modem
ip address dhcp
ip access-group 110 out
My question is that when we ping some ip we send echo  and get back echo reply from that IP  but here as per debug we see all the pings from source ip 96..x.x.x.  to destination which is 4.2.2.2.
if someone can explain me the out put of above debug please?
thanks
mahesh

Mahesh

Not sure what you are asking here.

An outbound access-list applied to a router interface does not stop the router itself sending out ICMP packets. It stops clients behind the router but not the router itself. That is why even with the acl applied you can still ping from the router.

As for the debug, well you only see thos packets in the debug because you are using acl 110 in the debug and only those packets are being matched.

Jon

mahesh18 · ‎10-15-2010

Hi Jon,

thanks for reply

i was asking this thay when we ping the remote ip 4.2.2.2 and use debug command why we do not see the reply coming from destination

4.2.2.2 echo reply?

is this because we have debug config only from source to destination?

thanks

mahesh

Jon Marshall · ‎10-15-2010

Mahesh

Yes, you would need to add another line to your acl 110 ie.

access-list 110 permit icmp host 96.51.x.x.176 host 4.2.2.2

access-list 110 permit icmp host 4.2.2.2 host 96.51.x.x

Jon

mahesh18 · ‎10-15-2010

Many thanks again john

It worked now

Regards

Mahesh