Hi Hans,
the echo reply is the answer packet to the echo request. so with the part
of configuration that you gave, the echo request goes 'out' of interface
e0. There is no outgoing access-list set, so the echo request will reach
its destination. the echo reply comes from 171.21.50.2 and goes back to
171.21.10.2. although an incoming access list is set on e0, the packet
does not match line 2 of your accesslist because the source of the
echo reply is 171.21.50.2.
hth
Reinhold
On Sun, 13 May 2001, Hans Stout wrote:
> Hello colleagues,
>
> I am trying to block all IP traffic from host A to host B except for ICMP
> echo replies. This is the access list I hve configured:
>
> access-list 100 permit icmp host 171.21.10.2 host 171.21.50.2 echo log
> access-list 100 permit icmp host 171.21.10.2 host 171.21.50.2 echo-reply
log
> access-list 100 deny ip host 171.21.10.2 host 171.21.50.2
>
> I then apply this access list as inbound to Ethernet0:
>
> Ethernet0
> ip address 171.21.50.1
> ip access-group 100 in
>
> However, when I try to ping 171.21.50.2 from 171.21.10.2, I get a no
reply,
> and the access list logs matches under the deny entry. I wonder if I am
> missing something or might have the syntax wrong. Do you have any ideas ?
> Thanks in advance for your help.
>
> Regards,
>
> Hans
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=4361&t=4321
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
