Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL question, allow ICMP from my ISP 2

Status
Not open for further replies.

hinesjrh

MIS
Jan 4, 2005
260
US
My ISP wants me to allow pings (ICMP) from their side to my router so they can notify me if my router or the circuit goes down. I guess it's been a long week and I can't think what I need my statement(s) to look like. On my router I have ACL 100 applied to outbound traffic on my serial interface and ACL 104 applied to inbound traffic. What statement(s) do I need to add to allow pings from my ISP's address 204.132.7.252/30?
 
router>en
router#sh access-list

Post this. I cannot give you exact commands without seeing what order things are in in the acl.

Burt
 
Actually, acls in Cisco routers start at 10, so you can do this...

router#conf t
router(config)#ip access-list extended 104
router(config-ext-nacl)#5 permit icmp 204.132.7.252 0.0.0.3 (ip address of outgoing interface) echo
repeat this with 6, 7 and 8 with echo-reply, destination unreachable, and unreachable. Note there is no "eq" before the icmp type.

Burt
 
Extended IP access list 100
10 permit udp any any eq 2344 (51008 matches)
20 permit udp any any eq 16962 (1918 matches)
30 permit udp any any eq 47808
40 deny udp any any eq 8998
50 deny udp any any eq tftp
60 permit tcp host 10.1.0.150 any eq 135 (1306389 matches)
70 permit tcp host 10.1.0.127 any eq 135
80 permit tcp host 10.1.0.152 any eq 135
90 permit tcp host 10.1.0.154 any eq 135
100 permit tcp host 10.253.0.126 any eq 135
110 permit tcp host 10.1.0.66 any eq 135
120 permit tcp host 10.1.0.65 any eq 135
130 permit tcp host 10.1.0.156 any eq 135
140 permit tcp host 10.1.0.134 any eq 135
150 permit tcp 10.0.0.16 0.255.0.0 any eq 135
160 permit tcp host 10.1.0.120 any eq 135 (7552266 matches)
170 deny tcp any any eq 135 (162627 matches)
180 permit icmp host 10.1.0.3 any (254 matches)
190 permit icmp host 205.171.3.169 any
200 permit icmp host 65.119.164.133 any
210 permit icmp host 10.1.0.134 any
220 permit icmp host 10.253.0.126 any
230 permit icmp host 10.1.0.150 any (85323 matches)
240 permit icmp host 10.1.0.152 any (3182 matches)
250 permit icmp host 10.1.0.154 any (967 matches)
260 permit icmp host 10.1.0.66 any
270 permit icmp host 10.1.0.65 any (105588 matches)
280 permit icmp 10.0.0.16 0.255.0.0 any
290 permit icmp 10.0.0.17 0.255.0.0 any
300 permit icmp 10.0.0.18 0.255.0.0 any
310 permit icmp 10.0.0.19 0.255.0.0 any
320 permit icmp 10.0.0.20 0.255.0.0 any
330 permit ip any any (1781554574 matches)

Extended IP access list 104
10 permit udp any any eq 2344 (24996 matches)
20 permit udp any any eq 16962 (13845 matches)
30 permit udp any any eq 47808 (1 match)
40 deny udp any any eq 8998
50 deny udp any any eq tftp (2113318 matches)
60 permit tcp any host 10.1.0.150 eq 135 (1130452 matches)
70 permit tcp any host 10.1.0.152 eq 135 (480595 matches)
80 permit tcp any host 10.1.0.154 eq 135 (425573 matches)
90 permit tcp any host 10.253.0.126 eq 135
100 permit tcp any host 10.1.0.66 eq 135
110 permit tcp any host 10.1.0.65 eq 135 (4640 matches)
120 permit tcp any host 10.1.0.92 eq 135 (171369 matches)
130 permit tcp any host 10.1.0.156 eq 135
140 permit tcp any host 10.1.0.134 eq 135
150 permit tcp any 10.0.0.16 0.255.0.0 eq 135 (20777 matches)
160 permit tcp any host 10.1.0.120 eq 135
170 deny tcp any any eq 135 (7 matches)
180 permit icmp any host 10.1.0.134 (17 matches)
190 permit icmp any host 10.253.0.126
200 permit icmp any host 10.1.0.150 (86367 matches)
210 permit icmp any host 10.1.0.152 (3799 matches)
220 permit icmp any host 10.1.0.154 (1053 matches)
230 permit icmp any host 10.1.0.66
240 permit icmp any host 10.1.0.65 (105418 matches)
250 permit icmp any 10.0.0.16 0.255.0.0 (53005 matches)
260 permit icmp any 10.0.0.17 0.255.0.0
270 permit icmp any 10.0.0.18 0.255.0.0 (40210 matches)
280 permit icmp any 10.0.0.19 0.255.0.0
290 permit icmp any 10.0.0.20 0.255.0.0
300 permit icmp 0.0.0.0 255.255.255.252 0.0.0.2 255.255.255.252 echo (171 matches)
310 permit icmp 0.0.0.0 255.255.255.252 0.0.0.2 255.255.255.252 echo-reply (27608 matches)
320 permit icmp 0.0.0.0 255.255.255.252 0.0.0.2 255.255.255.252 time-exceeded
330 deny udp any any eq 995
340 deny udp any any eq 996
350 deny udp any any eq 997
360 deny udp any any eq 998
370 deny udp any any eq 999
380 permit ip any any (1442716570 matches)
 
Yes, after I posted my ACL's. I did find that in my IOS 12.4(7c) the "destination unreachable" was not an option. It seems that "unreachable" covers all unreachables from what the "?" description provides.

Thanks for your help, I have my modified ACL in place and will test with my ISP some night soon.
 
I am a bit confused by what I am seeing as I now check the status of my new ACL entries (see below). Although I am getting hits on the 204.132.7.252 0.0.0.3 entry I made, I am confused by how the whole statement(s) read [different from what I actually entered]. Where did the 0.0.0.2 come from?

300 permit icmp 204.132.7.252 0.0.0.3 0.0.0.2 255.255.255.252 echo (90 matches)
310 permit icmp 204.132.7.252 0.0.0.3 0.0.0.2 255.255.255.252 echo-reply
320 permit icmp 204.132.7.252 0.0.0.3 0.0.0.2 255.255.255.252 unreachable

What I had entered was:

access-list 104 permit icmp 204.132.7.252 0.0.0.3 65.119.164.134 255.255.255.252 echo
access-list 104 permit icmp 204.132.7.252 0.0.0.3 65.119.164.134 255.255.255.252 echo-reply
access-list 104 permit icmp 204.132.7.252 0.0.0.3 65.119.164.134 255.255.255.252 unreachable
 
You are using subnet masks as opposed to wildcard masks:
Code:
access-list 104 permit icmp 204.132.7.252 0.0.0.3 65.119.164.134 255.255.255.252 echo
access-list 104 permit icmp 204.132.7.252 0.0.0.3 65.119.164.134 255.255.255.252 echo-reply
access-list 104 permit icmp 204.132.7.252 0.0.0.3 65.119.164.134 255.255.255.252 unreachable
should be
Code:
300 permit icmp 204.132.7.252 0.0.0.3 host 65.119.164.134 echo
310 permit icmp 204.132.7.252 0.0.0.3 host 65.119.164.134 echo-reply
320 permit icmp 204.132.7.252 0.0.0.3 host 65.119.164.134 unreachable
or it could also be written as:
Code:
300 permit icmp 204.132.7.252 0.0.0.3 65.119.164.134 0.0.0.0 echo
310 permit icmp 204.132.7.252 0.0.0.3 65.119.164.134 0.0.0.0 echo-reply
320 permit icmp 204.132.7.252 0.0.0.3 65.119.164.134 0.0.0.0 unreachable
but I believe in your config the above would show up as a host entry as opposed to including the 0.0.0.0 wildcard mask.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Uncle---you mean instead of

access-list 104 permit icmp 204.132.7.252 0.0.0.3 65.119.164.134 255.255.255.252 echo

it should be

access-list 104 permit icmp 204.132.7.252 0.0.0.3 65.119.164.134 0.0.0.3 echo

and so on for the rest. They are 29 bit masks, not host masks...

Burt
 
.134 is a host address, .132 would be the network so actually as you have it the ACL would be:
Code:
access-list 104 permit icmp 204.132.7.252 0.0.0.3 65.119.164.132 0.0.0.3 echo

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
and /30 not /29 :)

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
s'ok big dog, you're still da man ;-)

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Hi,

I was practing the following configs on the lab below. However, I am not sure how the ip nat outside source static x.x.x.x x.x.x.x works. I know that the ip nat inside source list 20 pool NAT-Pool overload command is used to nat the sources which matched against ACL 20.

ip nat inside source list 20 pool NAT-Pool overload
ip nat outside source static 10.122.134.150 10.144.215.120
ip nat outside source static 123.233.45.142 10.144.215.121
ip nat outside source static 123.233.46.143 10.144.215.122

Can someone please explain this?

Thank You
 
You should start a new thread

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top