Cisco ACL query

I'm sure this is something very basic, but it has me a bit stumped
This is the config on my SGE2010 switch in Layer 3 mode :-
 
interface port-channel 1
description "VLAN1"
exit
vlan database
vlan 2
exit
interface range ethernet 1/g(13-18,37-42)
switchport access vlan 2
exit
interface vlan 2
name "VLAN"
exit
interface range ethernet 1/g(1,25)
channel-group 1 mode on
exit
interface vlan 1
ip address 192.168.0.26 255.255.255.0
exit
interface vlan 2
ip address 192.168.20.26 255.255.255.0
exit
ip access-list "Test 4"
permit-icmp any any echo-reply any
permit-tcp 192.168.20.50 0.0.0.0 443 192.168.0.6 0.0.0.0 443
exit
interface ethernet 1/g41
service-acl input "Test 4"
exit

The first rule in ACL 'Test 4' was "permit-icmp any any echo-reply any". Once this was bound to port 41, 192.168.0.6 and 192.168.20.50 could ping each other. Then I added the "permit-tcp 192.168.20.50 0.0.0.0 443 192.168.0.6 0.0.0.0 443" rule, . After that rule was added, 192.168.0.6 can ping 192.168.20.50, but not the other way around. Can someone explain to me why that is, and what do I need to change so that I can still ping in both directions.

Just in case it's relevent, I got the 'show running' above from the switch, but the rules were added using the switch's 'Security Suite' in the web console.
Michael986Asked:
Who is Participating?
 
greg wardSystems EngineerCommented:
As far as i can see it should only allow ping one way.
the second rule is for tcp 443 and should not allow icmp.
You could add at the end
deny icmp any any log and see if it catches any thing

Greg
0
 
greg wardSystems EngineerCommented:
ip access-list "Test 4"
permit-icmp any any echo-reply any
permit-icmp any any echo

Greg
0
 
Marius GunnerudSenior Systems EngineerCommented:
The echo-reply only allows ICMP packets that are returning from a ping generated on the router/switch. Any ICMP packet originating from another device headed for the router/switch will be dropped. The way around this is as deepdraw has mentioned by adding the echo statement.
0
 
Michael986Author Commented:
Thanks - I have added an 'Echo-request - Permit' rule (as it has to be done through the security suite, and 'echo' is not an option) - now works OK.

However, I still don't understand the original issue :-
If I have just the one rule - ie permit-icmp any any echo-reply any - then pings work both ways. It's only when adding another, seemingly unrelated, rule that the pings stop in one direction. Why would the second rule cause the difference in behaviour?
0
 
Michael986Author Commented:
It seems that this device uses a 'lite' version of IOS, so I might just have to accept that there's a few anomolies like this.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.