Greetings.

This should be a really easy one.

Im a cisco newbie.  Well this is implied based on the simplicity of my question...

Im trying to use an inbound access list on my OUTSIDE interface (with NAT) to limit access to specific servers, protocols, ports.

When I do this, my router loses the ability to PING.

My understanding was that ACLs only control traffic going THROUGH the router, not originating from the router.

My inside network can perform ANY connection outbound.

Outbound to inbound is working great for the webservers.

If I remove access-list 101 IN from my outside interface, then I can ping.

If I put access-list 101 IN back on the outside interface, then I can't ping.

Clearly I lack a fundamental understanding of what is happening when the router PINGs out.

I want to block ping requests that originate outside my network.

Why does my access-list prevent my router to ping?

What do I need to add to the access list to allow my router to ping out?

Config below.

Any suggestions, comments are greatly appreciated!!

Thanks,

Ross

dtrouter01#sh run

Building configuration...

Current configuration : 5470 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname dtrouter01

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$Hthu$F8UN7fFoNr5sQ5DDlZOzq0

!

aaa new-model

!

!

aaa session-id common

clock timezone PST8PDT -8

clock summer-time PST8PDT recurring

dot11 syslog

no ip source-route

!

!

ip dhcp bootp ignore

!

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name dtrouter01.dunhamtech.com

!

multilink bundle-name authenticated

!

!

username dtadmin password 7 04710A0504244041191C43

archive

log config

  hidekeys

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

interface FastEthernet0/0

ip address 69.43.173.37 255.255.255.240

ip access-group 101 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

ntp disable

!

interface FastEthernet0/1

ip address 192.168.10.1 255.255.255.0

ip access-group 102 in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

ntp disable

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 69.43.173.33

no ip http server

no ip http secure-server

!

!

ip nat pool ovrld 69.43.173.40 69.43.173.40 prefix-length 28

ip nat inside source list 7 pool ovrld overload

ip nat inside source static tcp 192.168.10.79 80 69.43.173.45 80 extendable

ip nat inside source static tcp 192.168.10.79 443 69.43.173.45 443 extendable

ip nat inside source static tcp 192.168.10.80 80 69.43.173.46 80 extendable

ip nat inside source static tcp 192.168.10.80 443 69.43.173.46 443 extendable

!

logging trap debugging

logging facility local3

logging 192.168.10.71

access-list 7 permit 192.168.10.0 0.0.0.255

access-list 101 permit tcp any host 69.43.173.45 eq www

access-list 101 permit tcp any host 69.43.173.45 eq 443

access-list 101 permit tcp any host 69.43.173.46 eq www

access-list 101 permit tcp any host 69.43.173.46 eq 443

access-list 101 deny   ip any any

access-list 102 permit tcp 192.168.10.0 0.0.0.255 any

access-list 102 permit udp 192.168.10.0 0.0.0.255 any

access-list 102 permit icmp 192.168.10.0 0.0.0.255 any

access-list 102 deny   ip any any

no cdp run

!

!

control-plane

!

banner login ^C

***************

Dunham Tech | Go Away | No Access is Allowed

***************

^C

!

line con 0

password 7 080B4D4D021C0918020E4A

line aux 0

exec-timeout 0 1

no exec

transport output none

line vty 0 4

password 7 132F1611000908253B216E

transport input ssh

!

scheduler allocate 20000 1000

end