Re: icmp filtering

From: ccie2be (ccie2be@nyc.rr.com)
Date: Tue Jun 08 2004 - 20:06:54 GMT-3

• Next message: Brian McGahan: "RE: icmp filtering"
• Previous message: Brian Dennis: "RE: icmp filtering"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Brian McGahan: "RE: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks for getting back to me.

See comments in-line.
----- Original Message -----
From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study" <ccielab@groupstudy.com>
Sent: Tuesday, June 08, 2004 6:02 PM
Subject: RE: icmp filtering

Tim,

What about the question and solution implies this? The question
says:

"Configure your network so that ICMP traffic is only allowed into your
network if the traffic was initiated from behind R5. For diagnostic and
troubleshooting purposes, ensure that users throughout your network are
still able to traceroute from behind R5."

The solution is:

R5:
interface Ethernet0/1
 ip access-group DENY_SNMP in
 ip access-group EVALUATE_ICMP out
!
ip access-list extended DENY_SNMP
 deny udp any any eq snmp
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 evaluate ICMP
 deny icmp any any
 permit ip any any
!
ip access-list extended EVALUATE_ICMP
 permit icmp any any reflect ICMP
 permit ip any any

Essentially you are watching ICMP traffic that is exiting:

permit icmp any any reflect ICMP

and you are allowing it back in only if was initiated from the
inside:

evaluate ICMP
deny icmp any any

***************
Since a traceroute uses ping, and the icmp message type isn't considered
since all messages types are allowed, wouldn't any type of icmp message type
be allowed back in by virtue of the "permit icmp any any reflect ICMP" and
therefore negate the need for explicitly allowing
the icmp time-exceeded and unreachable message types?

**********************

but you are allowing trace replies back:

permit icmp any any time-exceeded
permit icmp any any unreachable

How does this relate to echo or echo-reply?

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie2be
> Sent: Tuesday, June 08, 2004 4:40 PM
> To: Group Study
> Subject: icmp filtering
>
> Hi guys,
>
> I hope this isn't too dumb a question, but...
>
> Can someone confirm what this acl entry does?
>
> ip access-list ext ping
> permit (or deny) icmp any any <-----
>
> In particular, does this allow all icmp message types or just
echo-request
> and
> echo-reply?
>
> I've search the Doc Cd and the whole of cisco.com but couldn't find
> anything
> definative.
>
> I would think it would allow ( or deny) all icmp message types but,
I'm
> doing
> practice IE lab 2, task 10.8 - 10.10 and the solution seems to
indicate
> that
> it only permits message types echo-request and echo-reply.
>
> Any feedback would be appreciated. Also, if someone knows of any
links
> which
> discusses in detail, please let me know.
>
> TIA, Tim
>
>

• Next message: Brian McGahan: "RE: icmp filtering"
• Previous message: Brian Dennis: "RE: icmp filtering"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Brian McGahan: "RE: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:36 GMT-3