08-25-2003 08:12 AM - edited 03-02-2019 09:51 AM
I have a couple of routers that have public ips and I can ping them from inside my network, but I cannot ping them from outside my network where I get internet connection. I have an IN access-list, but I am not blocking icmp or echo's. Any ideas?
Solved! Go to Solution.
08-27-2003 03:40 AM
Are you trying to ping your routers through the cloud? If so, there might be a node somewhere in the cloud that is blocking ICMP or echo requests. We ran into the same thing here. Our service provider recently started blocking ICMP requests. Try doing a trace route and see where it stops.
08-25-2003 12:26 PM
If icmp is not specifically permitted the default action will drop the packets. Can you post your acl, just put in bogus IPs when you post.
08-26-2003 04:27 AM
Its fairly long and alot of editing but here is the bulk of it.
This is applied IN on the Internet side:
deny ip (our public space) any
deny ip (private addresses) any
deny ip (multicast and reserved space) any
deny ip host 255.255.255.255 any
deny tcp/udp any any eq (trojan ports)
deny udp any any eq snmp
deny udp any any eq 19
permit ip any any
08-26-2003 11:00 AM
add
permit icmp any any
08-27-2003 12:00 AM
Icmp is included in last entry of access-list because ip allows icmp too.
Did you try to unapply the acl from interfaces to test the reachability?
Let me know
Carlo
08-27-2003 03:40 AM
Are you trying to ping your routers through the cloud? If so, there might be a node somewhere in the cloud that is blocking ICMP or echo requests. We ran into the same thing here. Our service provider recently started blocking ICMP requests. Try doing a trace route and see where it stops.
08-27-2003 07:03 AM
I can ping my routers that are connected through our own lines, however if I go out to ATT route server I cannot ping my edge or internal routers or any device off of them. I can trace out and in though.
08-27-2003 08:16 AM
Try to write "log" in the end of each line in the acl, ping the device and the do show access-list... and see which line that triggers. Might give you a clue..
08-27-2003 11:30 AM
Thanks for all of the help. It was our provider that was blocking ICMP since the recent worm attacks and they forgot to remove it off of our interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide