problem in ICMP access list

m_aurangzeb · ‎11-23-2005

i m network engineer of an ISP.i want to allow my clients ping any global IP.this a part of my ACL on my router's serial "out port" interface which is connecting to the WAN.my access server is connected to the router's etherner interface. and my client's gateway is access server. when i implement the following ACL on my router's serial out intaerface then i am unable to ping any website or global ip.but i am changing my ACL by changing souce and destination ip address to "any any" then it able to

ping website and IP.

i ve also changed my ACL by keeping source ip to "any" and destination to "src_IP_pool" but still the same problem. pls tell me what would the problem.

! allow pings into the network

access-list 110 permit icmp src_IP_pool any echo

! allow ping responses

access-list 110 permit icmp src_IP_pool any echo-reply

! allow ICMP source-quench

access-list 110 permit icmp src_IP_pool any source-quench

! allow path MTU discovery

access-list 110 permit icmp src_IP_pool any packet-too-big

! allow time-exceeded, which is useful for traceroute

access-list 110 permit icmp src_IP_pool any time-exceeded

! deny all other ICMP packets

access-list 110 deny icmp src_IP_pool any

leonvd79 · ‎11-23-2005

For example let's say I use access-list 110 to permit network 192.168.0.0/24 icmp packets to the Internet.

ip access-list extended 110

permit icmp 192.168.0.0 0.0.0.255 any echo

permit icmp 192.168.0.0 0.0.0.255 any echo-reply

permit icmp 192.168.0.0 0.0.0.255 any source-quench

permit icmp 192.168.0.0 0.0.0.255 any packet-too-big

permit icmp 192.168.0.0 0.0.0.255 any time-exceeded

deny icmp deny 192.168.0.0 0.0.0.255 any

interface FastEthernet 0/0

ip address 192.168.0.1 255.255.255.0

ip access-group 110 out

router#show access-list 110

Look for matches on your access-list 110. You can also debug ip icmp and see what happens.

Good luck