From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Tue Jun 08 2004 - 19:16:51 GMT-3
inside network - R5 - outside network
behind R5 - R5 - in front of R5
It says behind because it's not asking for locally generated. Since an outbound access-list does not match locally generated traffic, it cannot be evaluated without additional configuration, such as local policy routing.
See this thread for more info:
http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
________________________________________
From: Richard Dumoulin [mailto:richard.dumoulin@vanco.es]
Sent: Tuesday, June 08, 2004 5:10 PM
To: Brian McGahan; ccie2be; Group Study
Subject: RE: icmp filtering
Something I usually find confusing is "behind R5". How do you know what is behind and not ?
Normally by using common sense I deduct that ICMP initiated from the inside should be allowed to return from the outside but the word "behind" confuses me,
--Richard
-----Original Message-----
From: Brian McGahan [mailto:bmcgahan@internetworkexpert.com]
Sent: miircoles, 09 de junio de 2004 0:02
To: ccie2be; Group Study
Subject: RE: icmp filtering
Tim,
What about the question and solution implies this? The question
says:
"Configure your network so that ICMP traffic is only allowed into your network if the traffic was initiated from behind R5. For diagnostic and troubleshooting purposes, ensure that users throughout your network are still able to traceroute from behind R5."
The solution is:
R5:
interface Ethernet0/1
ip access-group DENY_SNMP in
ip access-group EVALUATE_ICMP out
!
ip access-list extended DENY_SNMP
deny udp any any eq snmp
permit icmp any any time-exceeded
permit icmp any any unreachable
evaluate ICMP
deny icmp any any
permit ip any any
!
ip access-list extended EVALUATE_ICMP
permit icmp any any reflect ICMP
permit ip any any
Essentially you are watching ICMP traffic that is exiting:
permit icmp any any reflect ICMP
and you are allowing it back in only if was initiated from the
inside:
evaluate ICMP
deny icmp any any
but you are allowing trace replies back:
permit icmp any any time-exceeded
permit icmp any any unreachable
How does this relate to echo or echo-reply?
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie2be
> Sent: Tuesday, June 08, 2004 4:40 PM
> To: Group Study
> Subject: icmp filtering
>
> Hi guys,
>
> I hope this isn't too dumb a question, but...
>
> Can someone confirm what this acl entry does?
>
> ip access-list ext ping
> permit (or deny) icmp any any <-----
>
> In particular, does this allow all icmp message types or just
echo-request
> and
> echo-reply?
>
> I've search the Doc Cd and the whole of cisco.com but couldn't find
> anything definative.
>
> I would think it would allow ( or deny) all icmp message types but,
I'm
> doing
> practice IE lab 2, task 10.8 - 10.10 and the solution seems to
indicate
> that
> it only permits message types echo-request and echo-reply.
>
> Any feedback would be appreciated. Also, if someone knows of any
links
> which
> discusses in detail, please let me know.
>
> TIA, Tim
>
>
This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:35 GMT-3