Denied ping response from an ACL.

Discussion in 'Cisco' started by AM, Sep 16, 2005.

  1. AM

    AM Guest

    The scenario is the following:

    I've configured a 837 to act as server for VPNclients. I would that clients connect only to specific resource on the LAN
    behind the router. So I applied an ACL on inside interface, outbound direction.

    The net is 10.168.45.0/24 and the resource to reach is 10.168.45.1.

    VPNclients get IP addresses from the pool 192.168.88.232-239.

    Below you can find the ACL

    no access-list 104
    access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.1
    access-list 104 deny ip 192.168.88.232 0.0.0.7 10.168.45.0 0.0.0.255
    access-list 104 permit ip any any

    When the client does a ping to 10.168.45.1 it receives an answer but when it tries to ping 10.168.45.2 it receives an
    answer from the router (the public interface) that destination is unreachable.

    Is that correct?

    Alex
    AM, Sep 16, 2005
    #1
    1. Advertising

  2. If you want traffic to reach 10.168.45.2, use this ACL:

    no access-list 104
    access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.1
    access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.2
    access-list 104 deny ip 192.168.88.232 0.0.0.7 10.168.45.0 0.0.0.255
    access-list 104 permit ip any any

    Regards,
    Steve
    www.networking-forum.com
    www.networking-forum.com, Sep 16, 2005
    #2
    1. Advertising

  3. AM

    AM Guest

    www.networking-forum.com wrote:
    > If you want traffic to reach 10.168.45.2, use this ACL:
    >
    > no access-list 104
    > access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.1
    > access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.2
    > access-list 104 deny ip 192.168.88.232 0.0.0.7 10.168.45.0 0.0.0.255
    > access-list 104 permit ip any any


    My questions regarded the fact that the device doing ping towards 10.168.45.2 was expected to
    receive "Request timeout" not "Destination unreachable"

    I think so. Am I wrong?

    Alex
    AM, Sep 17, 2005
    #3
  4. In article <7wJWe.3261$>, AM <> wrote:

    > www.networking-forum.com wrote:
    > > If you want traffic to reach 10.168.45.2, use this ACL:
    > >
    > > no access-list 104
    > > access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.1
    > > access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.2
    > > access-list 104 deny ip 192.168.88.232 0.0.0.7 10.168.45.0 0.0.0.255
    > > access-list 104 permit ip any any

    >
    > My questions regarded the fact that the device doing ping towards 10.168.45.2
    > was expected to
    > receive "Request timeout" not "Destination unreachable"
    >
    > I think so. Am I wrong?


    When an ACL blocks something, it sends back an ICMP Destination
    Unreachable - Administratively Prohibited message. If you want to
    prevent this, configure "no ip unreachable" on the outside interface.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Margolin, Sep 17, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shad T
    Replies:
    0
    Views:
    603
    Shad T
    Jun 29, 2004
  2. Fred
    Replies:
    1
    Views:
    465
    Walter Roberson
    Oct 26, 2004
  3. T-Bone
    Replies:
    9
    Views:
    498
    Ben Smith
    Jun 30, 2005
  4. Vimokh
    Replies:
    3
    Views:
    5,649
    Vimokh
    Sep 6, 2006
  5. Southern Kiwi
    Replies:
    6
    Views:
    2,151
    Southern Kiwi
    Mar 19, 2006
Loading...

Share This Page