Access List ICMP question

So here is my setup.

I have Linksys>>1721Router>>switches>>2524 Router>>

The ip for the 1721 router going to the switch is 192.168.2.1
The ip for the 2524 router connected to the switch is 192.168.2.2

I have an extended access list as follows
10 deny icmp host 192.168.2.2 host 192.168.1.1

I then go into the 192.168.2.1 interface and create an access group in...in would be coming from the switch which is connected to the 192.168.2.2 int on the 2524 router.

so my access group looks like

ip access-group 150 in

I would think this should ONLY block any packets with the destination address of 192.168.1.1. However, it is blocking all ping packets from the 2.1 router.

I change it to out and it works fine for communication between the 1721 and the 2524.

Correct me if I'm wrong but if I ping 192.168.2.2 from the 1721 I should have a source ip of 192.168.2.1 and dest ip of 2.2. The reply packet would have a source of 2.2 and destination of 2.1.

So why are they being blocked? Am I making a mistake on my access list?

I can't seem to put my finger on it. I don't want to apply to the out interface because it's a waste of CPU resources.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

networker050184

There is an implicit denyall at the end of the ACL. So if you are not specifically permitting the traffic it will be dropped.

bcall64

networker050184 wrote: »

There is an implicit denyall at the end of the ACL. So if you are not specifically permitting the traffic it will be dropped.

Headdesk

wbosher

I made a similar mistake in my lab a little while back. I was almost ready to through my router and PC out the window

when I had the "aha!!" moment and realised what the problem was.

Easily done but certainly won't do it again!