Options
Access List ICMP question
bcall64
Member Posts: 156
in CCNA & CCENT
So here is my setup.
I have Linksys>>1721Router>>switches>>2524 Router>>
The ip for the 1721 router going to the switch is 192.168.2.1
The ip for the 2524 router connected to the switch is 192.168.2.2
I have an extended access list as follows
10 deny icmp host 192.168.2.2 host 192.168.1.1
I then go into the 192.168.2.1 interface and create an access group in...in would be coming from the switch which is connected to the 192.168.2.2 int on the 2524 router.
so my access group looks like
ip access-group 150 in
I would think this should ONLY block any packets with the destination address of 192.168.1.1. However, it is blocking all ping packets from the 2.1 router.
I change it to out and it works fine for communication between the 1721 and the 2524.
Correct me if I'm wrong but if I ping 192.168.2.2 from the 1721 I should have a source ip of 192.168.2.1 and dest ip of 2.2. The reply packet would have a source of 2.2 and destination of 2.1.
So why are they being blocked? Am I making a mistake on my access list?
I can't seem to put my finger on it. I don't want to apply to the out interface because it's a waste of CPU resources.
I have Linksys>>1721Router>>switches>>2524 Router>>
The ip for the 1721 router going to the switch is 192.168.2.1
The ip for the 2524 router connected to the switch is 192.168.2.2
I have an extended access list as follows
10 deny icmp host 192.168.2.2 host 192.168.1.1
I then go into the 192.168.2.1 interface and create an access group in...in would be coming from the switch which is connected to the 192.168.2.2 int on the 2524 router.
so my access group looks like
ip access-group 150 in
I would think this should ONLY block any packets with the destination address of 192.168.1.1. However, it is blocking all ping packets from the 2.1 router.
I change it to out and it works fine for communication between the 1721 and the 2524.
Correct me if I'm wrong but if I ping 192.168.2.2 from the 1721 I should have a source ip of 192.168.2.1 and dest ip of 2.2. The reply packet would have a source of 2.2 and destination of 2.1.
So why are they being blocked? Am I making a mistake on my access list?
I can't seem to put my finger on it. I don't want to apply to the out interface because it's a waste of CPU resources.
Comments
-
Options
networker050184
Mod Posts: 11,962 Mod
There is an implicit denyall at the end of the ACL. So if you are not specifically permitting the traffic it will be dropped.An expert is a man who has made all the mistakes which can be made. -
Optionsbcall64
Member Posts: 156
networker050184 wrote: »There is an implicit denyall at the end of the ACL. So if you are not specifically permitting the traffic it will be dropped.
Headdesk -
Options
wbosher
Member Posts: 422
I made a similar mistake in my lab a little while back. I was almost ready to through my router and PC out the window
when I had the "aha!!" moment and realised what the problem was.
Easily done but certainly won't do it again!