RE: NOT ABLE TO PING ROUTER OWN INTERFACE IP

From: Djerk Geurts (djerk@djerk.nl)
Date: Wed Aug 01 2007 - 16:10:01 ART

• Next message: Djerk Geurts: "RE: NOT ABLE TO PING ROUTER OWN INTERFACE IP"
• Previous message: Serhat Aslan: "Re: OSPF ACL"
• Next in thread: Djerk Geurts: "RE: NOT ABLE TO PING ROUTER OWN INTERFACE IP"
• Maybe reply: Djerk Geurts: "RE: NOT ABLE TO PING ROUTER OWN INTERFACE IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Maybe but it doesn't explain the counter increase on the switch... Which is
exactly on par with the one from the router.

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of Serhat Aslan
> Sent: woensdag 1 augustus 2007 20:56
> To: Toh Soon, Lim
> Cc: Brian Dennis; NITIN NITIN; ccielab@groupstudy.com
> Subject: Re: NOT ABLE TO PING ROUTER OWN INTERFACE IP
>
> open debug, and ping the local interface and other side
> router interface,
> you are going to see (x2) more packet output then the remote
> side pinging.
> This means ios processes two times, probably due to order of its
> operation. As I understood, It act as both remote and local router to
> satisfy its inside->to->outside, outside->to->inside operations.
>
> Serhat Aslan
>
> On 8/1/07, Toh Soon, Lim <tohsoon28@gmail.com> wrote:
> >
> > Hi Brian,
> >
> > I have labbed it to verify. My config as follows:
> >
> > !
> > interface FastEthernet0/1
> > ip address 150.50.200.1 255.255.255.0
> > ip access-group 100 in
> > !
> > access-list 100 deny icmp any any echo log
> > access-list 100 permit ip any any
> > !
> >
> > R1#pi 150.50.200.1
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 150.50.200.1, timeout is
> 2 seconds:
> > U.U.U
> > Success rate is 0 percent (0/5)
> >
> > I got the following error message:
> > %SEC-6-IPACCESSLOGDP: list 100 denied icmp 150.50.200.1 ->
> > 150.50.200.1(8/0), 1 packet
> >
> > Yes, the ICMP echo itself (type 8, code 0) is denied,
> exactly like you
> > said.
> >
> > One question, to quote you "If you ping yourself the ICMP
> echo is being
> > transmitted onto the Ethernet network", do the packets
> leave the router
> > interface at all? How does this work?
> >
> >
> > Thank you.
> >
> > B.Rgds,
> > Lim TS
> >
> >
> > On 8/1/07, Brian Dennis <bdennis@internetworkexpert.com> wrote:
> > >
> > > If you ping yourself the ICMP echo is being transmitted onto the
> > > Ethernet network. Then when you try to receive the ICMP echo that
> > > you sent your inbound ACL is denying it. When pinging
> yourself you
> > > are the sending an ICMP echo, receiving an ICMP echo,
> sending an ICMP
> > > echo reply and finally receiving the ICMP echo reply.
> > >
> > > Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> > > bdennis@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987
> > > Direct: 775-745-6404 (Outside the US and Canada)
> > >
> > >
> > > On Jul 31, 2007, at 11:20 AM, NITIN NITIN wrote:
> > >
> > > > Hi Experts,
> > > > I have these ACL applied on int and cant ping my own
> ip why ?????
> > > > although inbound icmp echo is denied ....... icmp
> echo-reply is
> > > > permit
> > > >
> > > > Rack1R4#sh access-lists R3-in
> > > > Extended IP access list R3-in
> > > > 10 deny icmp any any echo (48 matches)
> > > > 20 permit ip any any (1946 matches)
> > > > Rack1R4#sh access-lists R3-out
> > > > Extended IP access list R3-out
> > > > 10 deny icmp any any time-exceeded log
> > > > 20 deny icmp any any port-unreachable log
> > > > 30 permit ip any any
> > > > Rack1R4#ping 204.12.1.254
> > > > Type escape sequence to abort.
> > > > Sending 5, 100-byte ICMP Echos to 204.12.1.254, timeout
> is 2 seconds:
> > > > !!!!!
> > > > Success rate is 100 percent (5/5), round-trip min/avg/max =
> > > > 60/77/100 ms
> > > > Rack1R4#ping 204.12.1.4
> > > > Type escape sequence to abort.
> > > > Sending 5, 100-byte ICMP Echos to 204.12.1.4, timeout
> is 2 seconds:
> > > > .....
> > > > Success rate is 0 percent (0/5)
> > > > Rack1R4#sh access-lists R3-in
> > > > Extended IP access list R3-in
> > > > 10 deny icmp any any echo (53 matches)
> > > > 20 permit ip any any (1981 matches)
> > > > Regards
> > > >
> > > >
> > > > ---------------------------------
> > > > Shape Yahoo! in your own image. Join our Network Research Panel
> > > > today!
> > > >
> > > >
> ______________________________________________________________________
> > > > _
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> ______________________________________________________________
> _________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> ______________________________________________________________
> _________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Djerk Geurts: "RE: NOT ABLE TO PING ROUTER OWN INTERFACE IP"
• Previous message: Serhat Aslan: "Re: OSPF ACL"
• Next in thread: Djerk Geurts: "RE: NOT ABLE TO PING ROUTER OWN INTERFACE IP"
• Maybe reply: Djerk Geurts: "RE: NOT ABLE TO PING ROUTER OWN INTERFACE IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:09 ART