03-17-2019 06:55 AM - edited 03-17-2019 07:26 AM
hey guys i am having trouble with extended ACLs R1 and R2 they keep blocking icmp echo reply. i want to allow pc-a and PC-B to receive ping replies but deny icmp traffic from coming in to both R1 and R2 here are my access list.
access-list 101 permit icmp 38.159.118.104 0.0.0.3 any echo-reply
access-list 101 permit icmp 38.159.118.108 0.0.0.3 any echo-reply
access-list 101 deny icmp any any
and i also tried this to
access-list 101 permit icmp any any echo-reply
access-list 101 deny icmp any any
access-list 100 permit ip any any
and in put them both in g0/1 in
when i do show access list
it show
access-list 101 deny icmp any any this is one thats blocking.
why i allowed icmp reply on the first statement.
Solved! Go to Solution.
03-17-2019 09:03 AM
03-17-2019 08:00 AM - edited 03-17-2019 08:02 AM
Hello,
try it.
ON R1
ip access-list ext DENY_PING_PCA
permit icmp 192.168.30.3 0.0.0.0 192.168.1.4 0.0.0.0 (change ip as you need)
deny icmp any any
permit ip any any
interface g0/0
ip access-group DENY_PING_PCA out
ON R2
ip access-list ext DENY_PING_PCB
permit icmp 192.168.1.4 0.0.0.0 192.168.1.3 0.0.0.0
deny icmp any any
permit ip any any
interface g0/0
ip access-group DENY_PING_PCB out
03-17-2019 08:15 AM
kinda confused what ip do i use ?
03-17-2019 08:35 AM - edited 03-17-2019 08:35 AM
hahaha, sorry, i missed.. these ip are from your switches hahaha.
Use machines ip. PCA and PCB
Regards,
03-17-2019 08:36 AM
Did you apply the acl inbound on the interface ?
If so that would allow a ping response from the 38.159.118.x IPs to the PCs and then block everything else.
Jon
03-17-2019 08:42 AM
well i put them in int g0/1 going in to R1 and R2
03-17-2019 08:44 AM
So assuming that means inbound then see previous answer ie. if it the ping reply came from one of those IPs it should be allowed.
Jon
03-17-2019 08:45 AM - edited 03-17-2019 08:47 AM
here for example from pc-a i want to ping R2 g0/1 interface when i have the icmp deny any any it blocks pings same thing goes for R1 of i ping from R2. but i put permit icmp any any echo reply and still nothing ?
03-17-2019 08:48 AM
03-17-2019 08:56 AM
i have a Dhcp server on wont that affect it ?
03-17-2019 09:03 AM
03-17-2019 04:06 PM
Hello,
I assume this is a follow up from your earlier post ? I guess it is unclear if you want to permit echo replies from the GigabitEthernet0/1 interfaces to ANY, or just to your local subnet, 192.168.1.0/24...
Your previous post was marked as solved, was it ?
If you want to ping 38.159.118.104/30 and 38.159.118.108/30 from just 192.168.1.0/24, this can be achieved with the below, as indicated:
access-list 101 permit icmp 192.168.1.0 0.0.0.255 38.159.118.104 0.0.0.3 echo-reply
access-list 101 permit icmp 192.168.1.0 0.0.0.255 38.159.118.108 0.0.0.3 echo-reply
access-list 101 deny icmp any any
access-list 101 permit ip any any
R1
interface GigabitEthernet0/1
ip access-group 101 in
R2
interface GigabitEthernet0/1
ip access-group 101 in
03-17-2019 11:01 AM
Hi,
This is a duplicate post.
Regards,
Deepak Kumar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: