Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Denied ping response from an ACL.

Reply
Thread Tools

Denied ping response from an ACL.

 
 
AM
Guest
Posts: n/a
 
      09-16-2005
The scenario is the following:

I've configured a 837 to act as server for VPNclients. I would that clients connect only to specific resource on the LAN
behind the router. So I applied an ACL on inside interface, outbound direction.

The net is 10.168.45.0/24 and the resource to reach is 10.168.45.1.

VPNclients get IP addresses from the pool 192.168.88.232-239.

Below you can find the ACL

no access-list 104
access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.1
access-list 104 deny ip 192.168.88.232 0.0.0.7 10.168.45.0 0.0.0.255
access-list 104 permit ip any any

When the client does a ping to 10.168.45.1 it receives an answer but when it tries to ping 10.168.45.2 it receives an
answer from the router (the public interface) that destination is unreachable.

Is that correct?

Alex
 
Reply With Quote
 
 
 
 
www.networking-forum.com
Guest
Posts: n/a
 
      09-16-2005
If you want traffic to reach 10.168.45.2, use this ACL:

no access-list 104
access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.1
access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.2
access-list 104 deny ip 192.168.88.232 0.0.0.7 10.168.45.0 0.0.0.255
access-list 104 permit ip any any

Regards,
Steve
www.networking-forum.com

 
Reply With Quote
 
 
 
 
AM
Guest
Posts: n/a
 
      09-17-2005
www.networking-forum.com wrote:
> If you want traffic to reach 10.168.45.2, use this ACL:
>
> no access-list 104
> access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.1
> access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.2
> access-list 104 deny ip 192.168.88.232 0.0.0.7 10.168.45.0 0.0.0.255
> access-list 104 permit ip any any


My questions regarded the fact that the device doing ping towards 10.168.45.2 was expected to
receive "Request timeout" not "Destination unreachable"

I think so. Am I wrong?

Alex
 
Reply With Quote
 
Barry Margolin
Guest
Posts: n/a
 
      09-17-2005
In article <7wJWe.3261$(E-Mail Removed)>, AM <(E-Mail Removed)> wrote:

> www.networking-forum.com wrote:
> > If you want traffic to reach 10.168.45.2, use this ACL:
> >
> > no access-list 104
> > access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.1
> > access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.2
> > access-list 104 deny ip 192.168.88.232 0.0.0.7 10.168.45.0 0.0.0.255
> > access-list 104 permit ip any any

>
> My questions regarded the fact that the device doing ping towards 10.168.45.2
> was expected to
> receive "Request timeout" not "Destination unreachable"
>
> I think so. Am I wrong?


When an ACL blocks something, it sends back an ICMP Destination
Unreachable - Administratively Prohibited message. If you want to
prevent this, configure "no ip unreachable" on the outside interface.

--
Barry Margolin, http://www.velocityreviews.com/forums/(E-Mail Removed)
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
I do ping others and viceversa but, cannot ping myself jorgeantibes Wireless Networking 0 05-15-2009 11:37 AM
VRRP : I am unable to ping the virtual address, I can only ping thebackup addresses. ATM Cisco 2 11-13-2008 09:50 PM
Can Ping Switch but Can't Ping Rtr (behind it) Bob Simon Cisco 8 01-19-2005 05:31 PM
ping ping Why gruffydd Computer Support 3 12-29-2004 05:09 PM
Can not ping myself, but can ping others =?Utf-8?B?V0pQQw==?= Wireless Networking 6 12-26-2004 05:56 AM



Advertisments