From: Jongsoo kim (bstrt2002@gmail.com)
Date: Mon Apr 04 2005 - 03:35:20 GMT-3
Mani
My gut feeling say you don't need "permit icmp any any" .
I believe your reflexive ACL can track traceroute initiated from 133.13.0.0.
Don't quote on me 100%.
Jongsoo
On Apr 4, 2005 1:38 AM, mani poopal <mani_ccie@yahoo.com> wrote:
> Hi Group,
>
> Can we make icmp traffic to be reflected(I think you cannot reflect traceroute initiated from inside). If a question asks to allow only traffic originated from your network 133.13.0.0 for tcp, udp and icmp traffic to comeback , what is the correct statement.
> =================================
> Extended IP access list INBOUND
> permit udp any any eq rip
> permit tcp any any eq bgp
> permit tcp any eq bgp any
> permit icmp any any<---------DO WE NEED THIS OR BELOW STMENT 3.
> evaluate MYREF
> Extended IP access list OUTBOUND
> permit tcp 133.13.0.0 0.0.255.255 any reflect MYREF
> permit udp 133.13.0.0 0.0.255.255 any reflect MYREF
> permit icmp 133.13.0.0 0.0.255.255 any reflect MYREF
> interface FastEthernet0/0
> ip access-group INBOUND in
> ip access-group OUTBOUND out
> ========================================
> ASSUMPTION: running rip and ospf.
> 1.do we have to reflect icmp
> 2.do we have to just allow icmp without reflection
> 3.If we reflect icmp, for inbound do we need permit icmp any any OR permit icmp any any time-exceeded & permit icmp any any port-unreachables(needed for traceroute)
>
> Any suggestions are appreciated.
>
> thanks
>
> Mani
>
> B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> (416)431 9929
> MANI_CCIE@YAHOO.COM
>
>
> ---------------------------------
> Post your free ad now! Yahoo! Canada Personals
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:52 GMT-3