From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Mon Apr 04 2005 - 23:35:25 GMT-3
Mani,
If you are going to "permit icmp any any" inbound what's the
point of reflecting it outbound?
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> mani poopal
> Sent: Monday, April 04, 2005 1:14 PM
> To: Jim; Jongsoo kim
> Cc: ccielab@groupstudy.com
> Subject: Re: REFLXIVE access-list QUESTION
>
> Hi Group,
>
> So what is the correct configuration, are we going to reflect icmp and
> allow icmp port unreachable & time exceeded explicitely inbound or
allow
> icmp any any explicitely inbound. In the IEWB labs they permit
> unreachables/time exceeded. Any comments from Brian, Scott, Bob,
Bruse,
> Tim and others are welcome
>
> thanks
>
> Mani
>
> Jim <quangnn@hptvietnam.com.vn> wrote:
> anyway, you need to permit time-exceeded & port-unreachable to let
> traceroute work properly.
>
> ----- Original Message -----
> From: "Jongsoo kim"
> To: "mani poopal"
> Cc:
> Sent: Monday, April 04, 2005 1:35 PM
> Subject: Re: REFLXIVE access-list QUESTION
>
>
> > Mani
> >
> > My gut feeling say you don't need "permit icmp any any" .
> > I believe your reflexive ACL can track traceroute initiated from
> > 133.13.0.0.
> > Don't quote on me 100%.
> >
> >
> > Jongsoo
> >
> >
> > On Apr 4, 2005 1:38 AM, mani poopal wrote:
> >> Hi Group,
> >>
> >> Can we make icmp traffic to be reflected(I think you cannot reflect
> >> traceroute initiated from inside). If a question asks to allow only
> >> traffic originated from your network 133.13.0.0 for tcp, udp and
icmp
> >> traffic to comeback , what is the correct statement.
> >> =================================
> >> Extended IP access list INBOUND
> >> permit udp any any eq rip
> >> permit tcp any any eq bgp
> >> permit tcp any eq bgp any
> >> permit icmp any any<---------DO WE NEED THIS OR BELOW STMENT 3.
> >> evaluate MYREF
> >> Extended IP access list OUTBOUND
> >> permit tcp 133.13.0.0 0.0.255.255 any reflect MYREF
> >> permit udp 133.13.0.0 0.0.255.255 any reflect MYREF
> >> permit icmp 133.13.0.0 0.0.255.255 any reflect MYREF
> >> interface FastEthernet0/0
> >> ip access-group INBOUND in
> >> ip access-group OUTBOUND out
> >> ========================================
> >> ASSUMPTION: running rip and ospf.
> >> 1.do we have to reflect icmp
> >> 2.do we have to just allow icmp without reflection
> >> 3.If we reflect icmp, for inbound do we need permit icmp any any OR
> >> permit icmp any any time-exceeded & permit icmp any any
> >> port-unreachables(needed for traceroute)
> >>
> >> Any suggestions are appreciated.
> >>
> >> thanks
> >>
> >> Mani
> >>
> >> B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> >> (416)431 9929
> >> MANI_CCIE@YAHOO.COM
> >>
> >>
> >> ---------------------------------
> >> Post your free ad now! Yahoo! Canada Personals
> >>
> >>
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:52 GMT-3