1. Home
  2. Cisco Systems
  3. Denied ping response from an ACL.

Denied ping response from an ACL.

The scenario is the following:

I've configured a 837 to act as server for VPNclients. I would that clients connect only to specific resource on the LAN behind the router. So I applied an ACL on inside interface, outbound direction.

The net is 10.168.45.0/24 and the resource to reach is 10.168.45.1.

VPNclients get IP addresses from the pool 192.168.88.232-239.

Below you can find the ACL

no access-list 104 access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.1 access-list 104 deny ip 192.168.88.232 0.0.0.7 10.168.45.0 0.0.0.255 access-list 104 permit ip any any

When the client does a ping to 10.168.45.1 it receives an answer but when it tries to ping 10.168.45.2 it receives an answer from the router (the public interface) that destination is unreachable.

Is that correct?

Alex

Reply to
AM
Loading thread data ...

If you want traffic to reach 10.168.45.2, use this ACL:

no access-list 104 access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.1 access-list 104 permit ip 192.168.88.232 0.0.0.7 host 10.168.45.2 access-list 104 deny ip 192.168.88.232 0.0.0.7 10.168.45.0 0.0.0.255 access-list 104 permit ip any any

Regards, Steve

formatting link

Reply to
www.networking-forum.com

My questions regarded the fact that the device doing ping towards 10.168.45.2 was expected to receive "Request timeout" not "Destination unreachable"

I think so. Am I wrong?

Alex

Reply to
AM

When an ACL blocks something, it sends back an ICMP Destination Unreachable - Administratively Prohibited message. If you want to prevent this, configure "no ip unreachable" on the outside interface.

Reply to
Barry Margolin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.