From: Toh Soon, Lim (tohsoon28@gmail.com)
Date: Wed Aug 01 2007 - 02:23:31 ART
Hi Brian,
I have labbed it to verify. My config as follows:
!
interface FastEthernet0/1
ip address 150.50.200.1 255.255.255.0
ip access-group 100 in
!
access-list 100 deny icmp any any echo log
access-list 100 permit ip any any
!
R1#pi 150.50.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.50.200.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
I got the following error message:
%SEC-6-IPACCESSLOGDP: list 100 denied icmp 150.50.200.1 ->
150.50.200.1(8/0), 1 packet
Yes, the ICMP echo itself (type 8, code 0) is denied, exactly like you said.
One question, to quote you "If you ping yourself the ICMP echo is being
transmitted onto the Ethernet network", do the packets leave the router
interface at all? How does this work?
Thank you.
B.Rgds,
Lim TS
On 8/1/07, Brian Dennis <bdennis@internetworkexpert.com> wrote:
>
> If you ping yourself the ICMP echo is being transmitted onto the
> Ethernet network. Then when you try to receive the ICMP echo that
> you sent your inbound ACL is denying it. When pinging yourself you
> are the sending an ICMP echo, receiving an ICMP echo, sending an ICMP
> echo reply and finally receiving the ICMP echo reply.
>
> Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
> On Jul 31, 2007, at 11:20 AM, NITIN NITIN wrote:
>
> > Hi Experts,
> > I have these ACL applied on int and cant ping my own ip why ?????
> > although inbound icmp echo is denied ....... icmp echo-reply is
> > permit
> >
> > Rack1R4#sh access-lists R3-in
> > Extended IP access list R3-in
> > 10 deny icmp any any echo (48 matches)
> > 20 permit ip any any (1946 matches)
> > Rack1R4#sh access-lists R3-out
> > Extended IP access list R3-out
> > 10 deny icmp any any time-exceeded log
> > 20 deny icmp any any port-unreachable log
> > 30 permit ip any any
> > Rack1R4#ping 204.12.1.254
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 204.12.1.254, timeout is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip min/avg/max =
> > 60/77/100 ms
> > Rack1R4#ping 204.12.1.4
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 204.12.1.4, timeout is 2 seconds:
> > .....
> > Success rate is 0 percent (0/5)
> > Rack1R4#sh access-lists R3-in
> > Extended IP access list R3-in
> > 10 deny icmp any any echo (53 matches)
> > 20 permit ip any any (1981 matches)
> > Regards
> >
> >
> > ---------------------------------
> > Shape Yahoo! in your own image. Join our Network Research Panel
> > today!
> >
> > ______________________________________________________________________
> > _
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:09 ART