Solved: Re: Unable to ping myself

tebbens · ‎02-12-2006

I'm running a Cisco 1811 and getting my IP address from the CableModem (OOL).

The router is at 192.168.1.1 and also has its public IP from the CableModem.

From the Router I can ping myself via 192.168.1.1, but I can't ping myself if I use my public IP which is assigned via DHCP I believe.

This is my ACL for FE0 in (CableModem):

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 permit tcp host x.x.x.x any

access-list 101 permit udp host x.x.251.5 eq domain any

access-list 101 permit tcp host x.x.251.5 eq domain any

access-list 101 permit udp host x.x.x.69 eq domain any

access-list 101 permit tcp host x.x.x.69 eq domain any

access-list 101 permit tcp any any eq 22

access-list 101 deny ip any any

I can't find the reason via debugs or logs, nothing shows up.

When I ping my internet ip, then show the access-list(count), the last line (deny ip any any) increases by 5 (the pings). But I don't know why, I thought the ACL icmp lines above should allow that.

Why can't I ping from the router to myself (my internet ip) ?

What am I missing ?

Thanks !

Matthew

pkhatri · ‎02-12-2006

Hi Matthew,

Change your ACL so that it looks like this (you will have to remove it completely and re-add this):

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 permit icmp any any echo !!!! NEW LINE

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 permit tcp host x.x.x.x any

access-list 101 permit udp host x.x.251.5 eq domain any

access-list 101 permit tcp host x.x.251.5 eq domain any

access-list 101 permit udp host x.x.x.69 eq domain any

access-list 101 permit tcp host x.x.x.69 eq domain any

access-list 101 permit tcp any any eq 22

access-list 101 deny ip any any

You need to allow ICMP echoes in for you to be able to ping yourself.

Hope that helps - pls rate the post if it does.

Paresh

View solution in original post

pkhatri · ‎02-12-2006

Hi Matthew,

Change your ACL so that it looks like this (you will have to remove it completely and re-add this):

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 permit icmp any any echo !!!! NEW LINE

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 permit tcp host x.x.x.x any

access-list 101 permit udp host x.x.251.5 eq domain any

access-list 101 permit tcp host x.x.251.5 eq domain any

access-list 101 permit udp host x.x.x.69 eq domain any

access-list 101 permit tcp host x.x.x.69 eq domain any

access-list 101 permit tcp any any eq 22

access-list 101 deny ip any any

You need to allow ICMP echoes in for you to be able to ping yourself.

Hope that helps - pls rate the post if it does.

Paresh

tebbens · ‎02-12-2006

I should have researched echo and echo-reply more.

Thanks !!

Matthew