Hi all,

I have applied extended ACL on my Routers Lan int fa1/0 to block pings from my Lan to any outside IP.

Here is config

interface FastEthernet1/0
ip dhcp relay information trusted
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

Here is ACL config

access-list 100 deny   icmp any any echo log-input
access-list 100 permit ip any any

Here is test results

2650xm#                                            ping 4.2.2.2*******************outside IP

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/45/48 ms

2650xm#ping 192.168.1.1*****************************IP of Lan interface of router

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
2650xm#ping 96.51.x.x*************************************************Router IP of wan interface

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 96.51.x.x , timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
2650xm#

Can someone please explain me why we are able to ping any outside IP even we have applied ACL on routers lan interface fa1/0 and we are not able to ping the router wan interface fa0/0 IP 96.x.x.x and 192.168.1.1

thanks

mahesh