02-04-2006 12:06 AM - edited 03-03-2019 11:38 AM
Hi,
i have setup access-list for one particular IP which is residing on WAN,
int s1/1
ip access-group 101 out
#access-list 101 deny ip any 192.168.1.0 0.0.0.255
#access-list 101 permit ip any any
now with this access-list my requirement gets satisfied, i mean LAN users can't ping this IP, but when i login to Router, i could able to ping 192.168.1.0/24 IP address, how do i resolve this problem?
02-04-2006 02:12 AM
Hello,
Do the following to stop that:
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any any
int s1/1
ip access-group 102 in
Hope that helps - pls rate the post if it does.
Paresh
02-04-2006 02:51 AM
Still i could able to ping the IP address even with the configuration you have mentioned.
02-04-2006 02:55 AM
That's weird...
Could you post the exact configuration you have got ?
Paresh
02-04-2006 04:18 AM
There are a few things to pay attention to in this kind of configurations.
First of all, the router will use the nearest interface' ip as source for the ping.
Second point is wheter the destination is on the subnet where the acl is on or reachable through another interface. The acl will only be applied on the interface where it is configured.
Using extended ping is a helpful tool for troubleshooting in this kind of situations.
Regards,
Leo
02-04-2006 12:33 PM
The explanation for this is fairly simple. The access list is functioning as expected and it prevents transit traffic (traffic through the router) from being forwarded but it does not prevent traffic generated by the router from being forwarded. This is standard behavior and the IOS has always worked this way. There is not any adjustment to the access list which will prevent the router itself from pinging those addresses.
HTH
Rick
02-04-2006 12:46 PM
Rick,
That explanation is fine for an outbound access-list. However, an inbound access-list should still be able to filter traffic, regardless of whether it's bound for the router or is transit traffic. The second ACL I specified was for inbound traffic so it should have stopped incmong traffic ....
Paresh
02-05-2006 03:46 PM
Paresh
The original question was clearly about an outbound access list and why when the access list was applied ping packets from the router were still sent. That is the question that I answered.
Your point that an inbound access list is 100% effective in supressing traffic from that subnet is quite correct. But I believe the original question was how to stop the outbound traffic. And IOS does not give the ability to stop outbound traffic that originates from the router itself. Perhaps the original poster can clarify what he was asking about.
HTH
Rick
02-05-2006 03:55 PM
Howdy Rick,
Point taken.. it's sometimes hard to understand whether a post is in reply to the last post or the original post so I just wanted to clear that mis-understanding :-)
As you said, there is no way to stop the router sending out the ICMP packet. We can filter out the reply which will prevent ping from working but that does not stop the original echo request from being sent out in the first place.
Cheers,
Paresh
02-05-2006 04:00 PM
Actually, Rick, I just had a thought. The following could work (haven't tried it out though):
access-list 101 permit icmp any 192.168.1.0 0.0.0.255 echo
access-list 101 permit icmp any 192.168.1.0 0.0.0.255 echo-reply
!
route-map LOCAL_POLICY permit 10
match ip address 101
set interface null0
!
ip local policy route-map LOCAL_POLICY
What do you think ?
Paresh
02-05-2006 04:53 PM
Paresh
The Policy Routing solution is a very interesting thought. I have not tried it but I believe that it probably would work.
And since I believe that the intent in the original post was to prevent all traffic going to that subnet it might be possible to simplify access list 101 to this:
access-list 101 deny ip any 192.168.1.0 0.0.0.255
HTH
Rick
02-05-2006 05:03 PM
Just tried out it, Rick... and it works !
So here's the solution for the original poster:
! this first portion is to deny transit traffic to 192.168.1.0/24
int s1/1
ip access-group 101 out
!
access-list 101 deny ip any 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
! this second portion is to deny router-originated traffic to 192.168.1.0/24
access-list 199 permit ip any 192.168.1.0 0.0.0.255
!
route-map LOCAL_POLICY permit 10
match ip address 199
set interface null0
!
ip local policy route-map LOCAL_POLICY
Hope that solves your problem.
Paresh
02-05-2006 04:04 PM
How are you connecting to the router? your ACL will not work from the router as you have to configure it on either the TTY (console, auxiliary) or VTY lines with the access class command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide