topic Re: ACL extended not working in Switching

ACL extended not working

mangsto32 — Tue, 01 Oct 2024 06:20:27 GMT

We are experiencing an issue where cisco router is pinging some servers with his wan ip.

we didn't find the reason so we tried to block the ping,
Despite applying ACL, I still see logs of the ping in the firewall, it's really weird because when I try to ping the servers with the wan IP I can't:

ROUTER#ping 172.24.133.124
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.24.133.124, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ROUTER#ping 172.24.133.124 so
ROUTER#ping 172.24.133.124 source 198.18.100.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.24.133.124, timeout is 2 seconds:
Packet sent with a source address of 198.18.100.9
.....
Success rate is 0 percent (0/5)

cisco config:

ip access-list extended Block-Ping
10 deny icmp host 198.18.100.9 any echo
20 deny icmp host 198.18.100.9 any echo-replySwitching
30 permit ip any any

interface GigabitEthernet0/0/1.60
description p2p_to_customer
encapsulation dot1Q 60
ip address 172.24.60.249 255.255.255.0
ip access-group Block-Ping out

Re: ACL extended not working

Karan Belani — Tue, 01 Oct 2024 06:08:24 GMT

As per the network topology,
The router's gi0/0/1.60 ip address is 172.16.1.1
And in your ACL configuration, you have created the ACE 30 permit ip any any that's why you can ping.
What is your WAN IP? 172.16.1.1 or 172.24.60.249

Re: ACL extended not working

mangsto32 — Tue, 01 Oct 2024 06:16:20 GMT

the wan ip is: 198.18.100.9
as you can see it seems like the acl is working because when I try to ping from the router with this source no ping:
ROUTER#ping 172.24.133.124 source 198.18.100.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.24.133.124, timeout is 2 seconds:
Packet sent with a source address of 198.18.100.9
.....
Success rate is 0 percent (0/5)

Re: ACL extended not working

mangsto32 — Tue, 01 Oct 2024 06:21:19 GMT

the toplogy was wrong, I just updated the photo

Re: ACL extended not working

Karan Belani — Tue, 01 Oct 2024 06:47:18 GMT

Hello,
So do you want to block the ping to servers from WAN IP or allow the ping?

Re: ACL extended not working

mangsto32 — Tue, 01 Oct 2024 06:53:52 GMT

Hi
I want to block and it seems like it block, but when I open my firewall I still see the icmp

Re: ACL extended not working

Karan Belani — Tue, 01 Oct 2024 07:01:47 GMT

Hello,
Yes got it, in firewall check the source IP of the ping,
Is there any destination NAT configured on your router? As the public IP won't get translated to Private IP and get routed to the servers unless NAT is configured.

Re: ACL extended not working

MHM Cisco World — Tue, 01 Oct 2024 07:05:06 GMT

Can you add log to ACL you apply and see if it block traffic or not

MHM

Re: ACL extended not working

mangsto32 — Tue, 01 Oct 2024 07:18:04 GMT

There is no NAT on the router, I have a static route to the servers.

in the firewall, I see the source IP that I blocked 198.18.100.9.

How can I add log to the access list? when I do show access-list I don't see matches on the block statement.

Re: ACL extended not working

etienne-buxin — Tue, 01 Oct 2024 07:48:59 GMT

An ACL never applies to traffic generated by the router itself

https://www.ciscopress.com/articles/article.asp?p=174313&seqNum=4

"...ACLs never apply to traffic generated by the router"

Re: ACL extended not working

mangsto32 — Tue, 01 Oct 2024 08:40:33 GMT

Thanks

I will try to use CoPP
maybe this will work.

Re: ACL extended not working

IanTonyBirchall — Tue, 01 Oct 2024 08:50:03 GMT

Just wanting to check, you say you see the pings in the firewall.
Are they they pings with source IP 198.18.100.9?
And are you able to see the hit count on your Block-Ping rule?
Also just to confirm that the Block-Ping rule is named and referenced correctly? not "BLOCK-PING" all caps for example?

Re: ACL extended not working

mangsto32 — Tue, 01 Oct 2024 08:57:20 GMT

Are they they pings with source IP 198.18.100.9? YES
And are you able to see the hit count on your Block-Ping rule? no hit count but when I try to ping with the source I can't:
ROUTER#ping 172.24.133.124 source 198.18.100.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.24.133.124, timeout is 2 seconds:
Packet sent with a source address of 198.18.100.9
.....
Success rate is 0 percent (0/5)

Also just to confirm that the Block-Ping rule is named and referenced correctly? not "BLOCK-PING" all caps for example? YES

Re: ACL extended not working

MHM Cisco World — Tue, 01 Oct 2024 09:34:13 GMT

I run lab ACL not work for me I will try CoPP and share code here

MHM

Re: ACL extended not working

mangsto32 — Tue, 01 Oct 2024 09:39:49 GMT

YES
but I am not familiar with that , do I need to see a log in the CLI?

Re: ACL extended not working

MHM Cisco World — Tue, 01 Oct 2024 09:43:38 GMT

NO need log I test ACL with log there is no hit so we need to use CoPP and I will run lab and share code here

thanks

MHM

Re: ACL extended not working

MHM Cisco World — Tue, 01 Oct 2024 09:51:42 GMT

access-list 152 permit ip host <router interface IP> <server IP>
access-list 152 deny   ip any any <<<- this mandatory 
!
class-map match-all class-icmp
 match access-group 152
!
policy-map policy-icmp
 class class-icmp
   drop
!
control-plane
 service-policy input policy-icmp

MHM

Re: ACL extended not working

mangsto32 — Mon, 07 Oct 2024 06:03:14 GMT

I still didn't execute the command.

do you know if cdp may be the reason for the ping?

Re: ACL extended not working

MHM Cisco World — Mon, 07 Oct 2024 06:17:00 GMT

Cdp is use between two direct point and it l2 so sure it not relate to ping send for router to server.

And if you not run copp in router why you not only drop these ping in FW.

I prefer use acl in FW instead of using copp.

MHM

Re: ACL extended not working

mangsto32 — Mon, 07 Oct 2024 06:21:33 GMT

Thanks for the reply.

but I don't have access to the FW,