I have a question about Cisco ACL's.
If a router has an ACL which denies pings and replies, which is stopping any devices on the LAN from pinging the internet but the router can still ping the internet, why is this the case?
Is this because the router isn't affected by ACL's whereas the PC's are?
Thanks
Best Answer
I don't mean for this to be considered an answer, I just wanted to show the output of testing @OzNetNerd's answer.
I configured three routers:
Gave them each an IP and a Loopback interface. Configured an ACL to block ICMP traffic:
And applied it direction OUT on the interface facing R3:
I than ran three tests, pinging 3.3.3.3 from R2 natively, then source from interface L0, then sourced from interface fa0/0. All three were successful:
All the while the ACL hitcount stayed at 0 (even the permit):
And all the while R1 was unable to ping R3:
R1's attempt did increase the ACL Hitcount:
(although why it did so by 15 when only 5 attempts were sent is curious, anyone have any ideas?)
I did the same test sourcing the ping from the IP 2.2.2.2 and 10.1.2.2 (the addresses on R2's L0 interface and the interface facing R1), and the results were the same. All this was on GNS3 running 12.4:
My testing confirms, @OzNetNerd is correct, ACLs do not apply to traffic sourced from the router itself.
I did test applying an INbound ACL on R2's f0/1 (interface facing R3). And that did successfully block the return ICMP Responses from R3. But the initial ICMP Echo's did indeed make it out and to R3 (as expected). I confirmed this with debugs on R3.