From: simon hart (simon.hart@btinternet.com)
Date: Tue Apr 05 2005 - 09:33:20 GMT-3
Hi Mani,
Looks like my last email was incorrect in relation to Traceroute. Refer to
Brian's.
However I think the point on locally generated ICMP traffic holds for stuff
such as Ping
Apologies
Simon
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of mani
poopal
Sent: 05 April 2005 12:38
To: Brian McGahan; Jim; Jongsoo kim
Cc: ccielab@groupstudy.com
Subject: RE: REFLXIVE access-list QUESTION
Brian,
I thought icmp traffic cannot be reflected, for eg traceroute from inside(,
used udp as source and reply as icmp). So do assume we are reflecting icmp
and unless asked in the question do we need permit icmp any any port
unreachable and permit icmp any any time exceeded.
P.S: I am going throough your work book again. Good concepts and I might
ask lots of doubts
thanks
Mani
Brian McGahan <bmcgahan@internetworkexpert.com> wrote:
Mani,
If you are going to "permit icmp any any" inbound what's the
point of reflecting it outbound?
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> mani poopal
> Sent: Monday, April 04, 2005 1:14 PM
> To: Jim; Jongsoo kim
> Cc: ccielab@groupstudy.com
> Subject: Re: REFLXIVE access-list QUESTION
>
> Hi Group,
>
> So what is the correct configuration, are we going to reflect icmp and
> allow icmp port unreachable & time exceeded explicitely inbound or
allow
> icmp any any explicitely inbound. In the IEWB labs they permit
> unreachables/time exceeded. Any comments from Brian, Scott, Bob,
Bruse,
> Tim and others are welcome
>
> thanks
>
> Mani
>
> Jim wrote:
> anyway, you need to permit time-exceeded & port-unreachable to let
> traceroute work properly.
>
> ----- Original Message -----
> From: "Jongsoo kim"
> To: "mani poopal"
> Cc:
> Sent: Monday, April 04, 2005 1:35 PM
> Subject: Re: REFLXIVE access-list QUESTION
>
>
> > Mani
> >
> > My gut feeling say you don't need "permit icmp any any" .
> > I believe your reflexive ACL can track traceroute initiated from
> > 133.13.0.0.
> > Don't quote on me 100%.
> >
> >
> > Jongsoo
> >
> >
> > On Apr 4, 2005 1:38 AM, mani poopal wrote:
> >> Hi Group,
> >>
> >> Can we make icmp traffic to be reflected(I think you cannot reflect
> >> traceroute initiated from inside). If a question asks to allow only
> >> traffic originated from your network 133.13.0.0 for tcp, udp and
icmp
> >> traffic to comeback , what is the correct statement.
> >> =================================
> >> Extended IP access list INBOUND
> >> permit udp any any eq rip
> >> permit tcp any any eq bgp
> >> permit tcp any eq bgp any
> >> permit icmp any any<---------DO WE NEED THIS OR BELOW STMENT 3.
> >> evaluate MYREF
> >> Extended IP access list OUTBOUND
> >> permit tcp 133.13.0.0 0.0.255.255 any reflect MYREF
> >> permit udp 133.13.0.0 0.0.255.255 any reflect MYREF
> >> permit icmp 133.13.0.0 0.0.255.255 any reflect MYREF
> >> interface FastEthernet0/0
> >> ip access-group INBOUND in
> >> ip access-group OUTBOUND out
> >> ========================================
> >> ASSUMPTION: running rip and ospf.
> >> 1.do we have to reflect icmp
> >> 2.do we have to just allow icmp without reflection
> >> 3.If we reflect icmp, for inbound do we need permit icmp any any OR
> >> permit icmp any any time-exceeded & permit icmp any any
> >> port-unreachables(needed for traceroute)
> >>
> >> Any suggestions are appreciated.
> >>
> >> thanks
> >>
> >> Mani
> >>
> >> B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> >> (416)431 9929
> >> MANI_CCIE@YAHOO.COM
> >>
> >>
> >> ---------------------------------
> >> Post your free ad now! Yahoo! Canada Personals
> >>
> >>
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:52 GMT-3