Solved: Extended ACL problems blocking icmp.

dolanduck. · ‎03-17-2019

hey guys i am having trouble with extended ACLs R1 and R2 they keep blocking icmp echo reply. i want to allow pc-a and PC-B to receive ping replies but deny icmp traffic from coming in to both R1 and R2 here are my access list.

access-list 101 permit icmp 38.159.118.104 0.0.0.3 any echo-reply
access-list 101 permit icmp 38.159.118.108 0.0.0.3 any echo-reply
access-list 101 deny icmp any any

and i also tried this to

access-list 101 permit icmp any any echo-reply

access-list 101 deny icmp any any

access-list 100 permit ip any any

and in put them both in g0/1 in

when i do show access list

it show

access-list 101 deny icmp any any this is one thats blocking.

why i allowed icmp reply on the first statement.

Jaderson Pessoa · ‎03-17-2019

This will block just ICMP, any other traffic will allowed.

permit ip any any

Jaderson Pessoa
*** Rate All Helpful Responses ***

View solution in original post

Jaderson Pessoa · ‎03-17-2019

Hello,

try it.

ON R1

ip access-list ext DENY_PING_PCA

permit icmp 192.168.30.3 0.0.0.0 192.168.1.4 0.0.0.0 (change ip as you need)

deny icmp any any

permit ip any any

interface g0/0

ip access-group DENY_PING_PCA out

ON R2

ip access-list ext DENY_PING_PCB

permit icmp 192.168.1.4 0.0.0.0 192.168.1.3 0.0.0.0

deny icmp any any

permit ip any any

interface g0/0

ip access-group DENY_PING_PCB out

Jaderson Pessoa
*** Rate All Helpful Responses ***

dolanduck. · ‎03-17-2019

kinda confused what ip do i use ?

Jaderson Pessoa · ‎03-17-2019

hahaha, sorry, i missed.. these ip are from your switches hahaha.

Use machines ip. PCA and PCB

Regards,

Jaderson Pessoa
*** Rate All Helpful Responses ***

Jon Marshall · ‎03-17-2019

Did you apply the acl inbound on the interface ?

If so that would allow a ping response from the 38.159.118.x IPs to the PCs and then block everything else.

Jon

dolanduck. · ‎03-17-2019

well i put them in int g0/1 going in to R1 and R2

Jon Marshall · ‎03-17-2019

So assuming that means inbound then see previous answer ie. if it the ping reply came from one of those IPs it should be allowed.

Jon

dolanduck. · ‎03-17-2019

here for example from pc-a i want to ping R2 g0/1 interface when i have the icmp deny any any it blocks pings same thing goes for R1 of i ping from R2. but i put permit icmp any any echo reply and still nothing ?

Jaderson Pessoa · ‎03-17-2019

ON R1

ip access-list ext DENY_PING_PCA

permit icmp 192.168.30.3 0.0.0.0 192.168.1.4 0.0.0.0 (ip of pc A - B)
deny icmp any any

permit ip any any

interface g0/0

ip access-group DENY_PING_PCA out

ON R2

ip access-list ext DENY_PING_PCB

permit icmp 192.168.1.4 0.0.0.0 192.168.1.3 0.0.0.0 (ip of pc B - A)

deny icmp any any

permit ip any any

interface g0/0

ip access-group DENY_PING_PCB out

Jaderson Pessoa
*** Rate All Helpful Responses ***

dolanduck. · ‎03-17-2019

i have a Dhcp server on wont that affect it ?

Jaderson Pessoa · ‎03-17-2019

This will block just ICMP, any other traffic will allowed.

permit ip any any

Jaderson Pessoa
*** Rate All Helpful Responses ***

Georg Pauwen · ‎03-17-2019

Hello,

I assume this is a follow up from your earlier post ? I guess it is unclear if you want to permit echo replies from the GigabitEthernet0/1 interfaces to ANY, or just to your local subnet, 192.168.1.0/24...

Your previous post was marked as solved, was it ?

If you want to ping 38.159.118.104/30 and 38.159.118.108/30 from just 192.168.1.0/24, this can be achieved with the below, as indicated:

access-list 101 permit icmp 192.168.1.0 0.0.0.255 38.159.118.104 0.0.0.3 echo-reply
access-list 101 permit icmp 192.168.1.0 0.0.0.255 38.159.118.108 0.0.0.3 echo-reply
access-list 101 deny icmp any any
access-list 101 permit ip any any

R1

interface GigabitEthernet0/1

ip access-group 101 in

R2

interface GigabitEthernet0/1

ip access-group 101 in

Deepak Kumar · ‎03-17-2019

Hi,

This is a duplicate post.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!