[Config] Silly problem with ping on 851

Author	All Replies
Sailing_Nut join:2006-11-07 Annapolis, MD	[Config] Silly problem with ping on 851 I'm unable to ping my router fm the Internet, but I thought I had the icmp echo-reply enabled in myACL for FA4 (my WAN port) Here is my FA4 config interface FastEthernet4 description Outside WAN$FW_OUTSIDE$ mac-address 0018.012f.0a95 ip ddns update hostname borland.no-ip.info ip ddns update myupdate ip address dhcp client-id FastEthernet4 ip access-group 107 in no ip redirects no ip unreachables no ip proxy-arp ip inspect SDM_LOW out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable and here is mt ACL 107 that is applied to FA4 access-list 107 remark auto generated by SDM firewall configuration access-list 107 remark SDM_ACL Category=1 access-list 107 permit tcp any any eq 27000 access-list 107 permit tcp any any eq ftp access-list 107 permit tcp any any eq ftp-data access-list 107 deny ip 192.168.0.0 0.0.0.255 any access-list 107 permit udp any eq bootps any eq bootpc access-list 107 permit icmp any any echo-reply access-list 107 permit icmp any any time-exceeded access-list 107 permit icmp any any unreachable access-list 107 deny ip 10.0.0.0 0.255.255.255 any access-list 107 deny ip 172.16.0.0 0.15.255.255 any access-list 107 deny ip 192.168.0.0 0.0.255.255 any access-list 107 deny ip 127.0.0.0 0.255.255.255 any access-list 107 deny ip host 255.255.255.255 any access-list 107 deny ip any any log What am I missing? (Keep in mind that a good portion of the ACL is a mystery to me)
	to forum · permalink · · 2008-07-08 14:02:11 ·
aryoba Premium,MVM join:2002-08-22 edit: July 8th, @03:43PM	Try to implement the following ACL 107 instead ... access-list 107 remark auto generated by SDM firewall configuration access-list 107 remark SDM_ACL Category=1 access-list 107 deny ip 10.0.0.0 0.255.255.255 any access-list 107 deny ip 172.16.0.0 0.15.255.255 any access-list 107 deny ip 192.168.0.0 0.0.255.255 any access-list 107 deny ip 127.0.0.0 0.255.255.255 any access-list 107 deny ip host 255.255.255.255 any access-list 107 permit tcp any any eq 27000 access-list 107 permit tcp any any range ftp-data ftp access-list 107 permit udp any eq bootps any eq bootpc access-list 107 permit icmp any any echo access-list 107 permit icmp any any echo-reply access-list 107 permit icmp any any time-exceeded access-list 107 permit icmp any any unreachable access-list 107 deny ip any any log
	to forum · permalink · · 2008-07-08 15:42:54 ·
Sailing_Nut join:2006-11-07 Annapolis, MD	I re-did my ACL as you suggested, but I'm still not answering ping requests. :-( Any more thoughts?
	to forum · permalink · · 2008-07-08 16:39:02 ·
aryoba Premium,MVM join:2002-08-22 edit: July 8th, @04:53PM	How does the ACL look like now? Does it look exactly the same as I suggested line by line? Another possibility is that you are either pinging the wrong IP address, the router has different IP address now, or the router is down
	to forum · permalink · · 2008-07-08 16:48:56 ·
Sailing_Nut join:2006-11-07 Annapolis, MD	Here is the new ACL. As far as I can tell it's exactly as you had it, but I may not be able to read! ;-) access-list 107 remark auto generated by SDM firewall configuration access-list 107 remark SDM_ACL Category=1 access-list 107 deny ip 10.0.0.0 0.255.255.255 any access-list 107 deny ip 172.16.0.0 0.15.255.255 any access-list 107 deny ip 192.168.0.0 0.0.0.255 any access-list 107 deny ip 127.0.0.0 0.255.255.255 any access-list 107 deny ip host 255.255.255.255 any access-list 107 permit tcp any any eq 27000 access-list 107 permit tcp any any range ftp-data ftp access-list 107 permit udp any eq bootps any eq bootpc access-list 107 deny icmp any any echo access-list 107 permit icmp any any echo-reply access-list 107 permit icmp any any time-exceeded access-list 107 permit icmp any any unreachable access-list 107 deny ip any any log I verified that the router is not ping-able using the line quality test from this site. The router isn't down because I'm using it to access the Internet to write this reply.
	to forum · permalink · · 2008-07-08 17:03:22 ·
Gordon Brown @co.uk	Check line 11 of the acl 107. Aryoba's has permit icmp any any echo. You have deny icmp any any echo. Enter the command "sh ip access-lists 107" and you'll see hits against each line in the acl. As the acl is now with the deny icmp statement you should see hits when you try to ping the router from the Internet and don't get a reply. After changing the deny to permit you shoudl get a reply and see hits against line 11 in the acl
	to forum · permalink · 2008-07-08 18:06:40 ·
Sailing_Nut join:2006-11-07 Annapolis, MD	Oops! Told you al I couldn't read! Thanks for catching my stupid mistake.
	to forum · permalink · · 2008-07-08 18:11:55 ·
Sailing_Nut join:2006-11-07 Annapolis, MD	That fixed it. Amazing how a little change like deny to permit can change things! Serves me right for using SDM and not looking a the default for the action.
	to forum · permalink · · 2008-07-08 18:15:22 ·
GordonBrown @co.uk	No problems. Sometimes it just needs another pair of eyes to spot the silly mistake. Especially if you've staring at a config for a while and can't see the forest for the trees.
	to forum · permalink · 2008-07-08 18:28:05 ·
aryoba Premium,MVM join:2002-08-22	I too have the same problem reviewing ACL; especially a complex one with various applications. Sometime it takes me days to review them properly to ensure I don't miss anything Anyway it is good to hear that the problem was fixed
	to forum · permalink · · 2008-07-08 22:10:36 ·


Saturday, 22-Nov 17:34:11	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2008 dslreports.com. page compression OFF