Access List ICMP question

bcall64

So here is my setup.

I have Linksys>>1721Router>>switches>>2524 Router>>

The ip for the 1721 router going to the switch is 192.168.2.1
The ip for the 2524 router connected to the switch is 192.168.2.2

I have an extended access list as follows
10 deny icmp host 192.168.2.2 host 192.168.1.1

I then go into the 192.168.2.1 interface and create an access group in...in would be coming from the switch which is connected to the 192.168.2.2 int on the 2524 router.

so my access group looks like

ip access-group 150 in

I would think this should ONLY block any packets with the destination address of 192.168.1.1. However, it is blocking all ping packets from the 2.1 router.

I change it to out and it works fine for communication between the 1721 and the 2524.

Correct me if I'm wrong but if I ping 192.168.2.2 from the 1721 I should have a source ip of 192.168.2.1 and dest ip of 2.2. The reply packet would have a source of 2.2 and destination of 2.1.

So why are they being blocked? Am I making a mistake on my access list?

I can't seem to put my finger on it. I don't want to apply to the out interface because it's a waste of CPU resources.

networker050184

There is an implicit denyall at the end of the ACL. So if you are not specifically permitting the traffic it will be dropped.