Re: DNS vs. ICMP

From: John Hooper (homith@homith.com)
Date: Wed Oct 01 2003 - 07:53:01 GMT-3

• Next message: Mac: "Re: OSPF Authentication"
• Previous message: Cocimano, Francesco: "RE: DNS vs. ICMP"
• Maybe in reply to: emad: "DNS vs. ICMP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This wouldn't have anything to do with MTU path discovery would it for the
dialup users ?

Would adding the following work ?

Access-list 120 permit icmp any any 3 4 ! packet-too-big

Access-list 120 deny icmp any any echo
Access-list 120 deny icmp any any echo-reply
Access-list 120 permit ip any any

Interface Ethernet e0/0
Ip access-group 120 in
Ip access-group 120 out

Just a thought

John

----- Original Message -----
From: "emad" <emad@zakq8.com>
To: "'Snow, Tim'" <timothy.snow@eds.com>
Cc: <ccielab@groupstudy.com>
Sent: Wednesday, October 01, 2003 8:23 PM
Subject: RE: DNS vs. ICMP

> Snow,
> I already changed the number of access-list many times and the actual
> access-list was 130 and I tried also 140 because I contacted Cisco
> without any news
>
> -----Original Message-----
> From: Snow, Tim [mailto:timothy.snow@eds.com]
> Sent: Wednesday, October 01, 2003 11:52 AM
> To: 'emad'
> Cc: 'ccielab@groupstudy.com'
> Subject: RE: DNS vs. ICMP
>
> Out of curiosity, could you try and create another ACL (say 121 for
> example) that exactly mirrors ACL 120 and apply in inbound and keep ACL
> 120
> outbound?
>
> Tim
> #12042
>
> -----Original Message-----
> From: emad [mailto:emad@zakq8.com]
> Sent: Wednesday, October 01, 2003 4:22 AM
> To: ccielab@groupstudy.com
> Subject: DNS vs. ICMP
>
>
> Folks,
> I have access server (3640) with NM-8AM configured for dialup , I tried
> to
> put access-list to block the ICMP echo and echo-reply on the ingress and
> egress of its Ethernet interface. When I put the access-list as
> following:
>
> Access-list 120 deny icmp any any echo
> Access-list 120 deny icmp any any echo-reply
> Access-list 120 permit ip any any
>
> Interface Ethernet e0/0
> Ip access-group 120 in
> Ip access-group 120 out
>
>
> I found that the dialup users lost the browsing and DNS is not working
> but
> when I removed the access-list from the input and keep it only on the
> output
> , everything went good and browsing back again!!! Do u know any relation
> between DNS and ICMP!?
>
> Regards
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***

• Next message: Mac: "Re: OSPF Authentication"
• Previous message: Cocimano, Francesco: "RE: DNS vs. ICMP"
• Maybe in reply to: emad: "DNS vs. ICMP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:54 GMT-3