From: Serhat Aslan (serhatworks@gmail.com)
Date: Wed Aug 01 2007 - 15:55:33 ART
open debug, and ping the local interface and other side router interface,
you are going to see (x2) more packet output then the remote side pinging.
This means ios processes two times, probably due to order of its
operation. As I understood, It act as both remote and local router to
satisfy its inside->to->outside, outside->to->inside operations.
Serhat Aslan
On 8/1/07, Toh Soon, Lim <tohsoon28@gmail.com> wrote:
>
> Hi Brian,
>
> I have labbed it to verify. My config as follows:
>
> !
> interface FastEthernet0/1
> ip address 150.50.200.1 255.255.255.0
> ip access-group 100 in
> !
> access-list 100 deny icmp any any echo log
> access-list 100 permit ip any any
> !
>
> R1#pi 150.50.200.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 150.50.200.1, timeout is 2 seconds:
> U.U.U
> Success rate is 0 percent (0/5)
>
> I got the following error message:
> %SEC-6-IPACCESSLOGDP: list 100 denied icmp 150.50.200.1 ->
> 150.50.200.1(8/0), 1 packet
>
> Yes, the ICMP echo itself (type 8, code 0) is denied, exactly like you
> said.
>
> One question, to quote you "If you ping yourself the ICMP echo is being
> transmitted onto the Ethernet network", do the packets leave the router
> interface at all? How does this work?
>
>
> Thank you.
>
> B.Rgds,
> Lim TS
>
>
> On 8/1/07, Brian Dennis <bdennis@internetworkexpert.com> wrote:
> >
> > If you ping yourself the ICMP echo is being transmitted onto the
> > Ethernet network. Then when you try to receive the ICMP echo that
> > you sent your inbound ACL is denying it. When pinging yourself you
> > are the sending an ICMP echo, receiving an ICMP echo, sending an ICMP
> > echo reply and finally receiving the ICMP echo reply.
> >
> > Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> > bdennis@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> >
> >
> > On Jul 31, 2007, at 11:20 AM, NITIN NITIN wrote:
> >
> > > Hi Experts,
> > > I have these ACL applied on int and cant ping my own ip why ?????
> > > although inbound icmp echo is denied ....... icmp echo-reply is
> > > permit
> > >
> > > Rack1R4#sh access-lists R3-in
> > > Extended IP access list R3-in
> > > 10 deny icmp any any echo (48 matches)
> > > 20 permit ip any any (1946 matches)
> > > Rack1R4#sh access-lists R3-out
> > > Extended IP access list R3-out
> > > 10 deny icmp any any time-exceeded log
> > > 20 deny icmp any any port-unreachable log
> > > 30 permit ip any any
> > > Rack1R4#ping 204.12.1.254
> > > Type escape sequence to abort.
> > > Sending 5, 100-byte ICMP Echos to 204.12.1.254, timeout is 2 seconds:
> > > !!!!!
> > > Success rate is 100 percent (5/5), round-trip min/avg/max =
> > > 60/77/100 ms
> > > Rack1R4#ping 204.12.1.4
> > > Type escape sequence to abort.
> > > Sending 5, 100-byte ICMP Echos to 204.12.1.4, timeout is 2 seconds:
> > > .....
> > > Success rate is 0 percent (0/5)
> > > Rack1R4#sh access-lists R3-in
> > > Extended IP access list R3-in
> > > 10 deny icmp any any echo (53 matches)
> > > 20 permit ip any any (1981 matches)
> > > Regards
> > >
> > >
> > > ---------------------------------
> > > Shape Yahoo! in your own image. Join our Network Research Panel
> > > today!
> > >
> > > ______________________________________________________________________
> > > _
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:09 ART