Dear Friends,

i have two router R1 and R2 both are directly connected with each others. on both sides fa1/1 interface is being used for this connectivity.
so i configure R1 is white listed network and R2 is a black listed network i don't want that R2 can send ICMP traffic towards R1 but R1 can send ICMP packets towards R2. They are also a bgp peers.

so on R1:
ip access-list extended outbound
permit tcp any any eq bgp
permit tcp any eq bgp any
permit icmp any any reflect REFLECT

ip access-list extended inbound
permit tcp any any eq bgp
permit tcp any eq bgp any
evaluate REFLECT

int fa 1/1
ip access-group inbound in
ip access-group outbound out

so with this configuration my bgp session is working fine but R1 can not ping R2.
SO is there any problem with my configuration or why my configuration is not working???

Hi,

R2 should send the ICMP reply message back to R1. Then only ping will be success. But it seems you have blocked the ICMP from R2.

If you have R2's config that would be grt to troubleshoot. This is to my knowledge.

Hmmm, pretty sure packets generated by the router do NOT look at any access-lists, therefore you never get the 'reflected' ACE (access-list entry). To prove this you can do one of two things:

1. Attach a device to a seperate interface on R1 and ping R2 (the traffic will reference the access-list because it was not generated by the router itself).
2. Kinda fancy, but implement policy routing on R1 but source pings to R2 with a source of a loopback interface. Believe it or not, the router will then reference the ACL because it 'came' from a seperate interface and is processed as if it came from another interface.

Have a try with either/both and let me know how you go on :-)