Re: any icmp access-list mistake....

Well, I did lab that and I'm confused.

I have the same behaviour.

R3 - R1 - R2

from R2 I ping R1's L0 and I got replies.
from R3 I ping R3's L0 and I don't get replies.

R1's Loop0 is 1.1.1.1/24
R3's Loop0 is 1.1.3.1/24

access-list applied to R1 fa0/0 (side R2) is this one:

Extended IP access list LOOP
    10 deny icmp 1.1.0.0 0.0.255.255 any echo-reply (10 matches)
    20 permit ip any any

I've setup 'no ip unreachable' on R1's Loop0 but as far as I get a reply I
guess this doesn't apply..
or am I missing something?

R2#ping 1.1.1.1 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!

R2#ping 1.1.3.1 rep 2

Sending 2, 100-byte ICMP Echos to 1.1.3.1, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)

thanks

On Mon, Oct 1, 2012 at 9:44 AM, Joseph L. Brunner
<joe_at_affirmedsystems.com>wrote:

> This is a often overlooked feature - ip unreachables! So even though the
> router will block your pings from being sent when leaving g0/14 - its
> giving you a little hint to STOP SENDING THEM!
>
> On the loopback interface -
>
> int loop0
> !
> no ip unreachables
> !
>
> I suggest you read this useful link on securing IOS routers -
>
>
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
>
> and this timeless whitepaper - which is a great use of our tax money :0)
>
> http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf
>
>
> :)
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> muhammad adnan
> Sent: Monday, October 01, 2012 5:29 AM
> To: Cisco certification
> Subject: any icmp access-list mistake....
>
> Dear all group members:-
>
> i am doing small testing. i want to block all ping from my pc attached at
> gi0/14 to 192.168.x.0 255.255.255.0
>
> when i applied the access-list stated below ping reply block from all
> address 192.168.x.0 255.255.255.0 instead of 192.168.x.1.192.168.x.1 is
> directly connected to my switch but the rest of loopback address are 1 hop
> away.
>
>
> i already clear cef and arp cache.
>
>
> and i am unable to found a stupid mistake or any reason why 192.168.x.1
> give me echo reply
>
> any idea....
>
>
>
>
>
> interface Loopback0
> ip address 192.168.x.1 255.255.255.255
>
> interface GigabitEthernet0/14
> description ......
> no switchport
> ip address x.x.x.x 255.255.255.252
> ip access-group loop-back out
>
>
>
>
> ip access-list extended loop-back
> deny icmp host 192.168.x.1 any echo-reply
> deny icmp 192.168.x.0 0.0.0.255 any echo-reply
> permit ip any any
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
@ccie99999
Blogs and organic groups at http://www.ccie.net