Re: self icmp blocking in interface

hclisschennai · ‎05-17-2009

Hi everybody,

I tried to block any ping (ICMP) from internet to my router. i have configured the below ACLs in the router and applied it in the interface connected to internet

access-list 110 permit icmp any any unreachable

access-list 110 permit icmp any any ttl-exceeded

access-list 110 permit icmp any any echo-reply

access-list 110 deny icmp any any

Applied in Interface connected to Internet as below:

interface ser 0/0

ip address 210.218.240.19

ip access-group 110 in

It is working perfectly by blocking the icmp packets destined to the router, from Internet. Also i am able to ping any public IP from the router console.

But Ironically, when i ping the own interface ser 0/0, it is showing U.U.U

I am not able to ping the self interface after applying the ACLs.

Can you please guide me what is the problem and solution

RBK

John Blakley · ‎05-20-2009

I tested this on a router, and it does block traffic. The only way to get around this is to add echo to your acl:

access-list 110 permit icmp any any echo

It also shows me in the log that it's getting denied:

%SEC-6-IPACCESSLOGDP: list PING denied icmp 172.16.5.2 -> 172.16.5.2 (8/0), 1 packet

That should do it.

HTH,

John

HTH, John *** Please rate all useful posts ***

Edison Ortiz · ‎05-20-2009

RBK,

The problem is that when pinging to the local serial interface, the packet actually goes to the device attached to the router's serial interface and returns back hence it's blocked with the last line on your ACL.

To fix it, allow ICMP within the 210.218.240.0 subnet.

__

Edison.