Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
821
Views
10
Helpful
3
Replies

ACLs on router on stick. Pings not working

Go to solution
christoffer92
Level 1
Level 1

‎12-10-2022 01:59 AM

Hello! I have run into a problem with pings. I have 3 networks on 3 vlans: students, servers and admin.

Students network is 192.168.1.0, servers network is 192.168.2.0 and admin network is 192.168.3.0.

The following config is working as intended except when I try to ping the student network from any of the other networks which blocks the icmp reply unless I add

permit icmp 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

or

permit icmp host 192.168.1.10 any

witch defeats the purpose of denying pings from the student network

 

Extended IP access list servers

10 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.12 eq smtp

20 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.12 eq pop3

30 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.10 eq www

40 permit tcp 192.168.3.0 0.0.0.255 host 192.168.2.10 eq www

50 permit tcp 192.168.3.0 0.0.0.255 host 192.168.2.12 eq pop3

60 permit tcp 192.168.3.0 0.0.0.255 host 192.168.2.12 eq smtp

70 permit icmp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

80 permit tcp host 192.168.3.11 eq www any

90 deny ip any any

100 deny tcp any any

Extended IP access list admin

10 permit tcp 192.168.2.0 0.0.0.255 host 192.168.3.11 eq www

20 permit tcp host 192.168.2.10 eq www any

30 permit tcp host 192.168.2.12 eq smtp any

40 permit tcp host 192.168.2.12 eq pop3 any

50 permit icmp 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

60 deny ip any any

70 deny tcp any any

 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎12-10-2022 02:04 AM

permit icmp 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 echo-reply <<- this only you need to end of your permit ACL line

View solution in original post

3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

‎12-10-2022 02:04 AM

permit icmp 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 echo-reply <<- this only you need to end of your permit ACL line

Go to solution
christoffer92
Level 1
Level 1
In response to MHM Cisco World

‎12-10-2022 02:13 AM

Wow thanks, now i feel pretty stupid!

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎12-10-2022 02:06 AM

@christoffer92 What interface(s) have you applied the ACL and in which direction? Provide the configuration.

You could just permit echo-reply instead of icmp.

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card