Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Question about ACLs

I have a couple of questions about this simple ACL:

access-list 101 permit ip host any

1) Will this ACL block ICMP requests coming from any hosts other than (because of the implicit deny any any)?

2) If this ACL is implemented outbound on an interface, it will supposedly block any "pass-through" traffic not sourced from Therefore ICMP requests sourced from to a remote host through the ACL will be permitted. This outbound ACL should not have any effect on the ICMP replies coming back through the interface (no inbound ACLs applied), so ICMP replies will be successfully received by, right?

I had a scenario where icmp replies weren't being recieved, and debugs on the downstream router said that the replies were being "administraivly prohibited", even though there weren't any inbound ACLs on the local router. (Also no ACLS on the downstream) I don't understand why this happened?

Is this a new IOS feature or something (using 12.4)? Any help is appreciated!

  • LAN Switching and Routing
Hall of Fame Super Blue

Re: Question about ACLs

Hi Christopher

1) Yes it will.

2) Yes you are right, the outbound acl should have no effect on the returning packets. Unless you are using stateful technology eg CBAC on routers then the ICMP replies would be allowed through. I am not aware of any changes in 12.4 that would change this behaviour.




Re: Question about ACLs

Hi ,

To block icmp try to use more precise command instead of permit and deny entire IP protocol.


access-list 101 permit icmp host any echo (for ping)

access-list 101 permit icmp host any echo-reply (for ping reply)



This widget could not be displayed.