http://www.dslreports.com/forum/r20759000 en Wed, 11 Nov 2009 09:31:26 EDT Wed, 11 Nov 2009 09:31:26 EDT http://www.dslreports.com/forum/remark,20761574 aryoba : I too have the same problem reviewing ACL; especially a complex one with various applications. Sometime it takes me days to review them properly to ensure I don't miss anything :D

Anyway it is good to hear that the problem was fixed :)]]> http://www.dslreports.com/forum/remark,20761574 Tue, 08 Jul 2008 22:10:36 EDT http://www.dslreports.com/forum/remark,20760496 anon : No problems. Sometimes it just needs another pair of eyes to spot the silly mistake. Especially if you've staring at a config for a while and can't see the forest for the trees.]]> http://www.dslreports.com/forum/remark,20760496 Tue, 08 Jul 2008 18:28:05 EDT http://www.dslreports.com/forum/remark,20760424 Sailing_Nut : That fixed it.

Amazing how a little change like deny to permit can change things!

Serves me right for using SDM and not looking a the default for the action.]]> http://www.dslreports.com/forum/remark,20760424 Tue, 08 Jul 2008 18:15:22 EDT http://www.dslreports.com/forum/remark,20760413 Sailing_Nut : Oops!

Told you al I couldn't read!

Thanks for catching my stupid mistake.]]> http://www.dslreports.com/forum/remark,20760413 Tue, 08 Jul 2008 18:11:55 EDT http://www.dslreports.com/forum/remark,20760387 anon : Check line 11 of the acl 107.

Aryoba's has permit icmp any any echo.

You have deny icmp any any echo.

Enter the command "sh ip access-lists 107" and you'll see hits against each line in the acl. As the acl is now with the deny icmp statement you should see hits when you try to ping the router from the Internet and don't get a reply.

After changing the deny to permit you shoudl get a reply and see hits against line 11 in the acl]]> http://www.dslreports.com/forum/remark,20760387 Tue, 08 Jul 2008 18:06:40 EDT http://www.dslreports.com/forum/remark,20760060 Sailing_Nut : Here is the new ACL. As far as I can tell it's exactly as you had it, but I may not be able to read! ;-)

access-list 107 remark auto generated by SDM firewall configurationaccess-list 107 remark SDM_ACL Category=1access-list 107 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 107 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 107 deny ip 192.168.0.0 0.0.0.255 anyaccess-list 107 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 107 deny ip host 255.255.255.255 anyaccess-list 107 permit tcp any any eq 27000access-list 107 permit tcp any any range ftp-data ftpaccess-list 107 permit udp any eq bootps any eq bootpcaccess-list 107 deny icmp any any echoaccess-list 107 permit icmp any any echo-replyaccess-list 107 permit icmp any any time-exceededaccess-list 107 permit icmp any any unreachableaccess-list 107 deny ip any any log
I verified that the router is not ping-able using the line quality test from this site.

The router isn't down because I'm using it to access the Internet to write this reply.
]]> http://www.dslreports.com/forum/remark,20760060 Tue, 08 Jul 2008 17:03:22 EDT http://www.dslreports.com/forum/remark,20759969 aryoba : How does the ACL look like now? Does it look exactly the same as I suggested line by line? :)

Another possibility is that you are either pinging the wrong IP address, the router has different IP address now, or the router is down :D]]> http://www.dslreports.com/forum/remark,20759969 Tue, 08 Jul 2008 16:48:56 EDT http://www.dslreports.com/forum/remark,20759917 Sailing_Nut : I re-did my ACL as you suggested, but I'm still not answering ping requests. :-(

Any more thoughts?]]> http://www.dslreports.com/forum/remark,20759917 Tue, 08 Jul 2008 16:39:02 EDT http://www.dslreports.com/forum/remark,20759575 aryoba : Try to implement the following ACL 107 instead ... :)

access-list 107 remark auto generated by SDM firewall configuration
access-list 107 remark SDM_ACL Category=1
access-list 107 deny ip 10.0.0.0 0.255.255.255 any
access-list 107 deny ip 172.16.0.0 0.15.255.255 any
access-list 107 deny ip 192.168.0.0 0.0.255.255 any
access-list 107 deny ip 127.0.0.0 0.255.255.255 any
access-list 107 deny ip host 255.255.255.255 any
access-list 107 permit tcp any any eq 27000
access-list 107 permit tcp any any range ftp-data ftp
access-list 107 permit udp any eq bootps any eq bootpc
access-list 107 permit icmp any any echo
access-list 107 permit icmp any any echo-reply
access-list 107 permit icmp any any time-exceeded
access-list 107 permit icmp any any unreachable
access-list 107 deny ip any any log]]> http://www.dslreports.com/forum/remark,20759575 Tue, 08 Jul 2008 15:42:54 EDT http://www.dslreports.com/forum/remark,20759000 Sailing_Nut : I'm unable to ping my router fm the Internet, but I thought I had the icmp echo-reply enabled in myACL for FA4 (my WAN port)

Here is my FA4 config

interface FastEthernet4 description Outside WAN$FW_OUTSIDE$ mac-address 0018.012f.0a95 ip ddns update hostname borland.no-ip.info ip ddns update myupdate ip address dhcp client-id FastEthernet4 ip access-group 107 in no ip redirects no ip unreachables no ip proxy-arp ip inspect SDM_LOW out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable
and here is mt ACL 107 that is applied to FA4

access-list 107 remark auto generated by SDM firewall configurationaccess-list 107 remark SDM_ACL Category=1access-list 107 permit tcp any any eq 27000access-list 107 permit tcp any any eq ftpaccess-list 107 permit tcp any any eq ftp-dataaccess-list 107 deny ip 192.168.0.0 0.0.0.255 anyaccess-list 107 permit udp any eq bootps any eq bootpcaccess-list 107 permit icmp any any echo-replyaccess-list 107 permit icmp any any time-exceededaccess-list 107 permit icmp any any unreachableaccess-list 107 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 107 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 107 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 107 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 107 deny ip host 255.255.255.255 anyaccess-list 107 deny ip any any log
What am I missing? (Keep in mind that a good portion of the ACL is a mystery to me)
]]> http://www.dslreports.com/forum/remark,20759000 Tue, 08 Jul 2008 14:02:11 EDT