Re: icmp filtering

From: ccie2be (ccie2be@nyc.rr.com)
Date: Tue Jun 08 2004 - 20:20:32 GMT-3

• Next message: Carlos G Mendioroz: "Re: icmp filtering"
• Previous message: Brian McGahan: "RE: icmp filtering"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Carlos G Mendioroz: "Re: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Richard,

I've got to agree with your sentiment there. Those 2 Brian's are amazing.

----- Original Message -----
From: "Richard Dumoulin" <richard.dumoulin@vanco.es>
To: "Brian McGahan" <bmcgahan@internetworkexpert.com>; "ccie2be"
<ccie2be@nyc.rr.com>; "Group Study" <ccielab@groupstudy.com>
Sent: Tuesday, June 08, 2004 6:25 PM
Subject: RE: icmp filtering

> Your posts are simply great. I am going to make a book with all your posts
> ;)
>
> --Richard
>
> -----Original Message-----
> From: Brian McGahan [mailto:bmcgahan@internetworkexpert.com]
> Sent: miircoles, 09 de junio de 2004 0:17
> To: Richard Dumoulin; ccie2be; Group Study
> Subject: RE: icmp filtering
>
>
> inside network - R5 - outside network
> behind R5 - R5 - in front of R5
>
>
> It says behind because it's not asking for locally generated. Since
> an outbound access-list does not match locally generated traffic, it
cannot
> be evaluated without additional configuration, such as local policy
routing.
>
> See this thread for more info:
>
> http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
>
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
>
> ________________________________________
> From: Richard Dumoulin [mailto:richard.dumoulin@vanco.es]
> Sent: Tuesday, June 08, 2004 5:10 PM
> To: Brian McGahan; ccie2be; Group Study
> Subject: RE: icmp filtering
>
> Something I usually find confusing is "behind R5". How do you know what is
> behind and not ?
> Normally by using common sense I deduct that ICMP initiated from the
inside
> should be allowed to return from the outside but the word "behind"
confuses
> me, --Richard
> -----Original Message-----
> From: Brian McGahan [mailto:bmcgahan@internetworkexpert.com]
> Sent: miircoles, 09 de junio de 2004 0:02
> To: ccie2be; Group Study
> Subject: RE: icmp filtering
>
> Tim,
> What about the question and solution implies this? The question
> says:
> "Configure your network so that ICMP traffic is only allowed into your
> network if the traffic was initiated from behind R5. For diagnostic and
> troubleshooting purposes, ensure that users throughout your network are
> still able to traceroute from behind R5."
> The solution is:
> R5:
> interface Ethernet0/1
> ip access-group DENY_SNMP in
> ip access-group EVALUATE_ICMP out
> !
> ip access-list extended DENY_SNMP
> deny udp any any eq snmp
> permit icmp any any time-exceeded
> permit icmp any any unreachable
> evaluate ICMP
> deny icmp any any
> permit ip any any
> !
> ip access-list extended EVALUATE_ICMP
> permit icmp any any reflect ICMP
> permit ip any any
> Essentially you are watching ICMP traffic that is exiting:
> permit icmp any any reflect ICMP
> and you are allowing it back in only if was initiated from the
> inside:
> evaluate ICMP
> deny icmp any any
> but you are allowing trace replies back:
> permit icmp any any time-exceeded
> permit icmp any any unreachable
> How does this relate to echo or echo-reply?
> HTH,
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > ccie2be
> > Sent: Tuesday, June 08, 2004 4:40 PM
> > To: Group Study
> > Subject: icmp filtering
> >
> > Hi guys,
> >
> > I hope this isn't too dumb a question, but...
> >
> > Can someone confirm what this acl entry does?
> >
> > ip access-list ext ping
> > permit (or deny) icmp any any <-----
> >
> > In particular, does this allow all icmp message types or just
> echo-request
> > and
> > echo-reply?
> >
> > I've search the Doc Cd and the whole of cisco.com but couldn't find
> > anything definative.
> >
> > I would think it would allow ( or deny) all icmp message types but,
> I'm
> > doing
> > practice IE lab 2, task 10.8 - 10.10 and the solution seems to
> indicate
> > that
> > it only permits message types echo-request and echo-reply.
> >
> > Any feedback would be appreciated. Also, if someone knows of any
> links
> > which
> > discusses in detail, please let me know.
> >
> > TIA, Tim
> >
> >
> _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials
> from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> **********************************************************************
> Any opinions expressed in the email are those of the individual and not
> necessarily the company. This email and any files transmitted with it are
> confidential and solely for the use of the intended recipient. If you are
> not the intended recipient or the person responsible for delivering it to
> the intended recipient, be advised that you have received this email in
> error and that any dissemination, distribution, copying or use is strictly
> prohibited. If you have received this email in error, or if you are
> concerned with the content of this email please e-mail to:
> e-security.support@vanco.co.uk The contents of an attachment to this
e-mail
> may contain software viruses which could damage your own computer system.
> While the sender has taken every reasonable precaution to minimise this
> risk, we cannot accept liability for any damage which you sustain as a
> result of software viruses. You should carry out your own virus checks
> before opening any attachments to this e-mail.
> **********************************************************************
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Carlos G Mendioroz: "Re: icmp filtering"
• Previous message: Brian McGahan: "RE: icmp filtering"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Carlos G Mendioroz: "Re: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:36 GMT-3