This is a often overlooked feature - ip unreachables! So even though the router will block your pings from being sent when leaving g0/14 - its giving you a little hint to STOP SENDING THEM!
On the loopback interface -
int loop0
!
no ip unreachables
!
I suggest you read this useful link on securing IOS routers -
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
and this timeless whitepaper - which is a great use of our tax money :0)
http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf
:)
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of muhammad adnan
Sent: Monday, October 01, 2012 5:29 AM
To: Cisco certification
Subject: any icmp access-list mistake....
Dear all group members:-
i am doing small testing. i want to block all ping from my pc attached at
gi0/14 to 192.168.x.0 255.255.255.0
when i applied the access-list stated below ping reply block from all address 192.168.x.0 255.255.255.0 instead of 192.168.x.1.192.168.x.1 is directly connected to my switch but the rest of loopback address are 1 hop away.
i already clear cef and arp cache.
and i am unable to found a stupid mistake or any reason why 192.168.x.1 give me echo reply
any idea....
interface Loopback0
ip address 192.168.x.1 255.255.255.255
interface GigabitEthernet0/14
description ......
no switchport
ip address x.x.x.x 255.255.255.252
ip access-group loop-back out
ip access-list extended loop-back
deny icmp host 192.168.x.1 any echo-reply
deny icmp 192.168.x.0 0.0.0.255 any echo-reply
permit ip any any
Blogs and organic groups at http://www.ccie.net
Received on Mon Oct 01 2012 - 09:44:37 ART
This archive was generated by hypermail 2.2.0 : Thu Nov 01 2012 - 10:53:33 ART