Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2286
Views
3
Helpful
19
Replies

ACL extended not working

mangsto32
Level 1
Level 1

‎09-30-2024 10:47 PM - edited ‎09-30-2024 11:20 PM

We are experiencing an issue where cisco router is pinging some servers with his wan ip.

we didn't find the reason so we tried to block the ping,
Despite applying ACL, I still see logs of the ping in the firewall, it's really weird because when I try to ping the servers with the wan IP I can't:

ROUTER#ping 172.24.133.124
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.24.133.124, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ROUTER#ping 172.24.133.124 so
ROUTER#ping 172.24.133.124 source 198.18.100.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.24.133.124, timeout is 2 seconds:
Packet sent with a source address of 198.18.100.9
.....
Success rate is 0 percent (0/5)

cisco config:

ip access-list extended Block-Ping
10 deny icmp host 198.18.100.9 any echo
20 deny icmp host 198.18.100.9 any echo-replySwitching
30 permit ip any any

!

interface GigabitEthernet0/0/1.60
description p2p_to_customer
encapsulation dot1Q 60
ip address 172.24.60.249 255.255.255.0
ip access-group Block-Ping out

 

Labels:
Preview file
42 KB
0 Helpful
19 Replies 19

MHM Cisco World
VIP
VIP
In response to mangsto32

‎10-01-2024 02:43 AM

NO need log I test ACL with log there is no hit so we need to use CoPP and I will run lab and share code here 

thanks 

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to mangsto32

‎10-01-2024 02:51 AM 

access-list 152 permit ip host <router interface IP> <server IP>
access-list 152 deny   ip any any <<<- this mandatory 
!
class-map match-all class-icmp
 match access-group 152
!
policy-map policy-icmp
 class class-icmp
   drop
!
control-plane
 service-policy input policy-icmp

MHM 

0 Helpful

mangsto32
Level 1
Level 1
In response to MHM Cisco World

‎10-06-2024 11:03 PM

I still didn't execute the command.

do you know if cdp may be the reason for the ping?

MHM Cisco World
VIP
VIP
In response to mangsto32

‎10-06-2024 11:17 PM

Cdp is use between two direct point and it l2 so sure it not relate to ping send for router to server.

And if you not run copp in router why you not only drop these ping in FW.

I prefer use acl in FW instead of using copp. 

MHM

0 Helpful

mangsto32
Level 1
Level 1
In response to MHM Cisco World

‎10-06-2024 11:21 PM

Thanks for the reply.

but I don't have access to the FW,

0 Helpful
Customers Also Viewed These Support Documents