cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
443
Views
0
Helpful
5
Replies
jacobwl01
Beginner

Allowing ping rely in to outside interface cisco 2811

good afternoon, 

i am trying to allow traceroute and echo replys in from the outside interface , i have a acl permiting the traffic but when i test it i get time outs . do i also need to put they access-group in under my outside interface to permit the trafic. her is my config including my acls. if i need to rework my acl for my outside interface please give me some examples so i can have something to reference 

JLNS-Core-RT1#sh run
Building configuration...


Current configuration : 5266 bytes
!
! Last configuration change at 00:26:34 UTC Wed Dec 9 2020 by admin
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname JLNS-Core-RT1
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa group server radius RAD_SERVERS
server-private 172.63.20.10 auth-port 1812 acct-port 1813 key Cisco1
!
aaa authentication login default group RAD_SERVERS local
aaa authorization exec default group RAD_SERVERS local if-authenticated
!
!
!
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
ip dhcp excluded-address 172.20.0.254
ip dhcp excluded-address 172.20.0.200
ip dhcp excluded-address 172.20.64.254
ip dhcp excluded-address 172.20.32.254
ip dhcp excluded-address 172.20.15.254
ip dhcp excluded-address 172.20.16.254
ip dhcp excluded-address 172.20.56.254
ip dhcp excluded-address 172.20.0.201
ip dhcp excluded-address 172.20.32.147
ip dhcp excluded-address 172.20.32.104
!
ip dhcp pool Network_Devices
network 172.20.0.0 255.255.255.0
dns-server 8.8.8.8
domain-name jlns.local
default-router 172.20.0.254
!
ip dhcp pool JLNS_Wired
network 172.20.64.0 255.255.255.0
default-router 172.20.64.254
dns-server 8.8.8.8
!
ip dhcp pool MTL_Wired
network 172.20.32.0 255.255.255.0
default-router 172.20.32.254
dns-server 8.8.8.8
domain-name jlns.local
!
ip dhcp pool JLNS_Wifi
network 172.20.15.0 255.255.255.0
default-router 172.20.15.254
domain-name jlns.local
dns-server 172.20.0.201
!
ip dhcp pool MTL_Wifi
network 172.20.16.0 255.255.255.0
default-router 172.20.16.254
domain-name jlns.local
dns-server 8.8.8.8
!
ip dhcp pool Guest-Wifi
network 172.20.14.0 255.255.255.0
domain-name jlns.local
default-router 172.20.14.254
dns-server 8.8.8.8
!
ip dhcp pool KCopier
host 172.20.32.147 255.255.255.0
hardware-address 00c0.ee16.b714
!
ip dhcp pool KScanner
host 172.20.32.104 255.255.255.0
hardware-address 00c0.ee71.2675
!
!
ip domain name JLNS.local
ip ddns update method myupdate
DDNS
interval maximum 2 0 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn FTX1346A16X
username admin privilege 15 password 0 Willys52!
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface Loopback0
description SSH Int
no ip address
!
interface FastEthernet0/0
description Link to Spectrum
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.2
description vlan2 int
encapsulation dot1Q 2
ip address 172.20.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.3
description JLNS-Wired VLAN Int
encapsulation dot1Q 3
ip address 172.20.64.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.4
description vlan4 int
encapsulation dot1Q 4
ip address 172.20.32.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.5
description vlan5 int
encapsulation dot1Q 5
ip address 172.20.15.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.6
description vlan6 int
encapsulation dot1Q 6
ip address 172.20.16.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.7
description vlan7 int
encapsulation dot1Q 7
ip address 172.20.14.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.8
description vlan8 int
encapsulation dot1Q 8
ip address 172.20.56.254 255.255.255.0
ip helper-address 172.20.56.201
ip nat inside
ip virtual-reassembly in
!
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list My_LAN interface FastEthernet0/0 overload
ip nat inside source static tcp 172.20.0.200 3389 interface FastEthernet0/0 3389
ip nat inside source static tcp 172.20.0.200 443 interface FastEthernet0/0 443
ip nat inside source static tcp 172.20.0.200 80 interface FastEthernet0/0 80
ip nat inside source static tcp 172.20.0.254 22 interface FastEthernet0/0 22
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list standard My_LAN
permit any
!
ip access-list extended My_WAN
permit tcp any any established
deny ip any any
permit icmp any any
permit tcp any host 172.20.0.200 eq 3389
deny tcp any any
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any host 172.20.0.200 eq 443
permit tcp any host 172.20.0.200 eq www
permit tcp any host 172.20.0.254 eq 22
permit igmp any any
permit icmp any host 172.20.0.254 echo
permit icmp any host 172.20.0.254 echo-reply
permit icmp any host 172.20.0.254 host-unreachable
permit icmp any host 172.20.0.254 host-redirect
permit icmp any any traceroute
!
logging esm config
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
exec-timeout 5 30
logging synchronous
line aux 0
line vty 0 4
exec-timeout 5 30
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 5 30
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
end

JLNS-Core-RT1#

 

5 REPLIES 5
Meheretab Mengistu
Rising star

Hi,

 

I do not see the access-list applied on the interface FastEthernet0/0. since it is not applied, it does not have any impact at this point. The question is: what IP addresses did you PING? and from which device (source IP address) did you PING? 

 

HTH,
Meheretab

i pinged my inside global address , public ip from my isp

to apply the acl i would be the access-group My_wan in on the fa 0/0 interface right ?

to apply the acl i would be the access-group My_wan in on the fa 0/0 interface right ?

That is correct.

 

You can PING the public IP address on Fa0/0 as far as your ISP allows it. If it is not allowed by your ISP, you can not PING it.

When it comes to the My_WAN ACL, you will need to make few changes; for example, ip deny any any will drop your ICMP traffic. Make at least one change:

ip access-list extended My_WAN
permit tcp any any established
deny ip any any
permit icmp any any

...

 

Replace it with the following:

ip access-list extended My_WAN
permit tcp any any established
permit icmp any any
deny ip any any

...

 

HTH,
Meheretab

Ok thank you

so move the deny ip any any statement to the end of the acl? Is that correct?

Hello,

 

the 'deny ip any any' at the end of the access list is not really necessary at all, as all access lists have an implicit 'deny all' at the end. Everything you do not explicitly allow, gets dropped anyway.