Re: icmp filtering

From: ccie2be (ccie2be@nyc.rr.com)
Date: Tue Jun 08 2004 - 19:36:54 GMT-3

• Next message: Hunt Lee: "MGCP or SCCP question - OT"
• Previous message: Richard Gallagher: "Re: EIGRP errors"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Richard Dumoulin: "RE: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Richard, that's what I thought, but....

Unfortunately, your answer leads to another question.

Here's the scenario:

I want to allow pings and traceroutes to come back into my network but only
if they originated from within my network. Allow other traffic.

Here's what I thought the answer should be:

int s0
ip access-group PINGS-IN in
ip access-group PINGS-OUT out

ip access-list ext PINGS-IN
evaluate PINGS
permit ip any any

ip access-group ext PINGS-OUT
permit icmp any any reflect PINGS

I figured this should work since "permit icmp any any" allows all icmp
mesages types. And, since traceroute uses ping, there shouldn't be a
problem. But, the solution was very different.

Solution:

int s0
ip access-group PINGS-IN in
ip access-group PINGS-OUT out

ip access-list ext PINGS-IN
permit icmp any any ttl-exceeded
permit icmp any any unreachable
evaluate ICMP
deny icmp any any
permit ip any any

ip access-list ext PINGS-OUT
permit icmp any any reflect ICMP <-- Does this statement care what the
message type is?
permit ip any any

*******************************

So, Richard, based on what you said in your earlier post, I would think that
any type of return icmp would be permited because
permit icmp any any reflect ICMP would create a permit entry for any type of
return icmp traffic regardless of type. But, this solution implies something
way different.

Any thoughts?

Thanks, Tim

----- Original Message -----
From: "Richard Dumoulin" <richard.dumoulin@vanco.es>
To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study" <ccielab@groupstudy.com>
Sent: Tuesday, June 08, 2004 5:46 PM
Subject: RE: icmp filtering

> It allows all icmp including ping's !!
>
> Do "permit icmp any any ?" and you'll see the options,
>
> --Richard
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: martes, 08 de junio de 2004 23:40
> To: Group Study
> Subject: icmp filtering
>
>
> Hi guys,
>
> I hope this isn't too dumb a question, but...
>
> Can someone confirm what this acl entry does?
>
> ip access-list ext ping
> permit (or deny) icmp any any <-----
>
> In particular, does this allow all icmp message types or just echo-request
> and echo-reply?
>
> I've search the Doc Cd and the whole of cisco.com but couldn't find
anything
> definative.
>
> I would think it would allow ( or deny) all icmp message types but, I'm
> doing practice IE lab 2, task 10.8 - 10.10 and the solution seems to
> indicate that it only permits message types echo-request and echo-reply.
>
> Any feedback would be appreciated. Also, if someone knows of any links
> which discusses in detail, please let me know.
>
> TIA, Tim
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> **********************************************************************
> Any opinions expressed in the email are those of the individual and not
> necessarily the company. This email and any files transmitted with it are
> confidential and solely for the use of the intended recipient. If you are
> not the intended recipient or the person responsible for delivering it to
> the intended recipient, be advised that you have received this email in
> error and that any dissemination, distribution, copying or use is strictly
> prohibited.
>
> If you have received this email in error, or if you are concerned with the
> content of this email please e-mail to: e-security.support@vanco.co.uk
>
> The contents of an attachment to this e-mail may contain software viruses
> which could damage your own computer system. While the sender has taken
> every reasonable precaution to minimise this risk, we cannot accept
> liability for any damage which you sustain as a result of software
viruses.
> You should carry out your own virus checks before opening any attachments
to
> this e-mail.
> **********************************************************************
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Hunt Lee: "MGCP or SCCP question - OT"
• Previous message: Richard Gallagher: "Re: EIGRP errors"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Richard Dumoulin: "RE: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:35 GMT-3