Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL filtering icmp ECHO-Reply Behavior

Hello Guys.... 

 

                   I needed some help here.....i have attached the topology with this in case you dont get what iam trying to ask

 

i have just 2 routers connected directly like this......     R1<------------> R2,  The network between them is 10.1.12.0/24, R1 has an ip address of

10.1.12.1 & R2 has an ip address  of 10.1.12.2.....Well so far so good hmmm

 

Now the Question is simple i want to block ICMP echo-reply's coming from R1 to R2  simple as that But it only works if i apply an ACL on R2's

Interface in the INBOUND Direction why on earth it dosent work if i apply the ACL on R1's interface in the OUTBOUND direction ??? 

 

THE ACL is this one#  access-list 100 deny icmp host 10.1.12.1 host 10.1.12.2 echo-reply

                                       access-list 100 permit ip any any

It works if i apply this in the inbound direction of R2 but why dosen't it work if i apply this in the OUTBOUND direction of R1?

Please do help me out thanks :)

1 REPLY

Hi, I believe that's because 

Hi,

 

I believe that's because "Access lists that are applied to interfaces do not filter traffic that originates from that router."

See http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacls.html#wp1001135

for details.

 

Best regards,

Milan


 

242
Views
0
Helpful
1
Replies