ACL filtering icmp ECHO-Reply Behavior

Ahmed Mukhtar · ‎06-08-2014

Hello Guys....

I needed some help here.....i have attached the topology with this in case you dont get what iam trying to ask

i have just 2 routers connected directly like this...... R1<------------> R2, The network between them is 10.1.12.0/24, R1 has an ip address of

10.1.12.1 & R2 has an ip address of 10.1.12.2.....Well so far so good hmmm

Now the Question is simple i want to block ICMP echo-reply's coming from R1 to R2 simple as that But it only works if i apply an ACL on R2's

Interface in the INBOUND Direction why on earth it dosent work if i apply the ACL on R1's interface in the OUTBOUND direction ???

THE ACL is this one# access-list 100 deny icmp host 10.1.12.1 host 10.1.12.2 echo-reply

access-list 100 permit ip any any

It works if i apply this in the inbound direction of R2 but why dosen't it work if i apply this in the OUTBOUND direction of R1?

Please do help me out thanks :)

milan.kulik · ‎06-08-2014

Hi,

I believe that's because "Access lists that are applied to interfaces do not filter traffic that originates from that router."

See http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacls.html#wp1001135

for details.

Best regards,

Milan