Re: ping drops on pinging local interface from jack daniels on 2009-06-23 (Ccielab archives 06/2009)

From: jack daniels <jckdaniels12_at_gmail.com>
Date: Wed, 24 Jun 2009 01:41:12 +0530

Hi Robclav,

why so as icmp and icmp-echo are both orignated by router so shouldnt match
the acl

Regards

On Tue, Jun 23, 2009 at 1:16 PM, <robclav_at_gmail.com> wrote:

> Hi jack,
> The traffic sourcered from router is not filtered but when this traffic
> reach the interface and then it send a icmp reply, then it is filtered.
> But if you apply this incoming acl to the exit int and you ping to the int
> directly attached to this one, theb it will work.
> Pls confirm if it works,
> Br
> Robclav
>
>
>
> BlackBerry de movistar, allm donde estis esta tu oficin@
>
> -----Original Message-----
> From: jack daniels <jckdaniels12_at_gmail.com>
>
> Date: Tue, 23 Jun 2009 12:29:16
> To: <ccielab_at_groupstudy.com>
> Subject: ping drops on pinging local interface
>
>
> Ping works on my interface , but when I apply inbound acl on the interface
> I can't ping my own interface
> But as per I know on the router u apply acl , it doesn't match the router's
> locally orignated traffic
> so please suggest why it is happening ?
>
>
> R3#sh run interface fastEthernet 0/0
> Building configuration...
>
> Current configuration : 103 bytes
> !
> interface FastEthernet0/0
> ip address 10.1.37.3 255.255.255.0
> duplex half
> no clns route-cache
> end
>
> R3#ping 10.1.37.3
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.1.37.3, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
> R3#cle
> R3#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> R3(config)#int fa
> R3(config)#int fastEthernet 0/0
> R3(config-if)#ip acces
> R3(config-if)#ip access-group 101 in
> R3(config-if)#^Z
> R3#conf t
> 00:53:38: %SYS-5-CONFIG_I: Configured from console by cping 10.1.37.3
> R3#ping 10.1.37.3
> R3#ping 10.1.37.3
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.1.37.3, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> R3#sh running-config | i access-list 101
> access-list 101 deny icmp any host 10.1.37.3
> access-list 101 permit ip any any
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jun 24 2009 - 01:41:12 ART

This archive was generated by hypermail 2.2.0 : Wed Jul 01 2009 - 20:02:37 ART