Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1083
Views
10
Helpful
2
Replies

ACL: icmp echo-reply is not working for me

Go to solution
hfakoor222
Spotlight
Spotlight

‎03-18-2022 06:10 PM - last edited on ‎03-21-2022 12:51 PM by Community Manager

Here is my topology 

 

Pic1.png

I've written an ACL to limit contact from vlan 100 into 200, howver I would like ICMP originating from 200 not to time out when going to VLAN 100.

int vlan 200 on switch = 192.168.200.3

int vlan 100 on switch = 192.168.100.2 

 

So here is my output for ACL ~ some of the sequences are redundant as I was playing around with it but it looks like it should be receiving icmp reply and it is not

 

Pic2.png

this ACL is applied on VLAN 200 out (or in I forget) with deny 192.168.100.0 255 wildcard to the 200.0 network

 

here is output of my PC3 in 200.0 network attempting to get an echo reply ping

I've included a 200.0 0.0.0.255 (dest) any echo-reply however it does not seem to be working

 

lmao.png

 

 

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-18-2022 07:18 PM - last edited on ‎03-21-2022 12:45 PM by Community Manager

Simple ACL should work for you :

 

interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip access-group 100 out
!
interface Vlan200
ip address 192.168.200.1 255.255.255.0
!
!
access-list 100 permit icmp 192.168.100.0 0.0.0.255 host 192.168.200.1 echo-reply
access-list 100 permit icmp 192.168.100.0 0.0.0.255 host 192.168.100.1 echo-reply
!

 

 

Above ACL source 100 vlan to 200 vlan, only allowed gateway - change based on the requirement.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
2 Replies 2

Go to solution
MHM Cisco World
VIP
VIP

‎03-18-2022 06:50 PM - edited ‎03-18-2022 06:50 PM

first ACL line is match any traffic between the VLAN, and deny drop traffic.
remove this line or push it to the end of ACL.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-18-2022 07:18 PM - last edited on ‎03-21-2022 12:45 PM by Community Manager

Simple ACL should work for you :

 

interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip access-group 100 out
!
interface Vlan200
ip address 192.168.200.1 255.255.255.0
!
!
access-list 100 permit icmp 192.168.100.0 0.0.0.255 host 192.168.200.1 echo-reply
access-list 100 permit icmp 192.168.100.0 0.0.0.255 host 192.168.100.1 echo-reply
!

 

 

Above ACL source 100 vlan to 200 vlan, only allowed gateway - change based on the requirement.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents