ACL ICMP - block IN allow OUT

strgaltentf · ‎04-10-2020

Hello,

I have a simple question about my ACL.

The problem is if i block all ICMP incomming, i can't do a ping from the Server.

permit icmp host <public-ip> any --->>> not work

interface Vlan100
 description <description>
 ip address <public-ip>
 ip access-group <acl> out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
end

ip access-list extended <acl>
 permit tcp any any established
 permit icmp host <public-ip> any
 permit tcp any host <public-ip> eq ftp
 permit tcp any host <public-ip> eq ftp-data
 permit tcp any host <public-ip> eq www
 permit tcp any host <public-ip> eq 443
 permit tcp any host <public-ip> eq 8080
 permit tcp any host <public-ip> eq 9090
 permit ip host <my-home-ip> host <public-ip> 
 permit icmp host <monitoring-ip> host <public-ip>

Best Regards

Reza Sharifi · ‎04-10-2020

Hi,

What is the inbound access list for blocking inbound traffic? So, inbound should block ICMP traffic from outside and outbound access list should block or allow traffic from inside to outside. Can you post "sh run"?

HTH

strgaltentf · ‎04-10-2020

Hi,

the "WAN" Vlan interface doesn't have an ACL.
Inbound filtering is not the problem. Ping from a Maschine to 1.1.1.1 doesnt work without permit icmp any any