Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

applying outbound ACL on ATM interface

I have a Cisco 1841 with the following configuration:


interface ATM0/0/0

description Collegamento ADSL BIT PLUS 1,2M/256

bandwidth 256

no ip address

load-interval 30

no atm ilmi-keepalive

dsl operating-mode auto


interface ATM0/0/0.1 point-to-point

description Mpls ; td-locale ; tgu-locale ; Shasta/ERX1440 ;

mtu 1500

bandwidth 20

ip address

ip access-group ATM-FILTER out

no snmp trap link-status

pvc 8/35

ubr 240

encapsulation aal5snap



ip access-list extended ATM-FILTER

deny ip any any



The imbound ACL doesn't work. I'm still able to ping a remote IP even if I'm exiting through the WAN interface with the deny any ACL applied on it.

In logs below I'm pinging reachable through WAN interface ATM0/0/0.1.

sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is to network is subnetted, 1 subnets

C is directly connected, ATM0/0/0.1 is subnetted, 1 subnets

C is directly connected, Loopback0

S* is directly connected, ATM0/0/0.1


Protocol [ip]:

Target IP address:

Repeat count [5]: 100

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: loopback 0

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to, timeout is 2 seconds:

Packet sent with a source address of



Moreover ACL counters don't increase:

01MPIAT1TO10124#sh access-list

Extended IP access list ATM-FILTER

10 deny ip any any


The same problem persists with different IOS version (12.3(14)T7 and 12.4(7)a).

The same ACL applied in inbound works fine. If I apply it I am disconneted from router because I opened a telnet session from remote site.

Could someone help me?



Hall of Fame Super Silver

Re: applying outbound ACL on ATM interface


You are encountering a basic behavior of IOS: an outbound access list will NOT filter any traffic that is generated BY the router. The outbound access list will filter any traffic that transits the router but not any traffic generated by the router itself.

As you observe an inbound access list will filter all traffic. But an outbound access list will only filter traffic that passes through the router. This is not particularly well documented, but it has always been true in IOS.