From: Mike Haddad (mike.haddad@hotmail.com)
Date: Thu Mar 27 2008 - 11:57:43 ART
Hello Guys,
I did lab it and without the echo-reply routers behind this Router were
responding to ICMP Echos from BB1. TO my knowledge,
If my router wants to ping or reply to ping requests from my router i need to
allow ICMP Echo in and out.
IN order for my router to receive the echo-replies I have to allow echo-reply
incomming.
Now when routers behind my router want to reply to echo from BB1 they were not
matching the echo-reply, however they were matching the echo.
Therefore, Echo-reply is for the router issuing the echo to receive the
reply back. The destination router will always echo. I know there are some
contradiction here because when the destination router replies back the ICMP
will be of type 0.
Waiting for your feedback,
Regards,
> From: smorris@ipexpert.com> To: steveaggie@gmail.com;
mike.haddad@hotmail.com; ccielab@groupstudy.com> Subject: RE: Reflexive ACL
question IE Solutions Guide> Date: Thu, 27 Mar 2008 10:04:17 -0400> >
Reflexive ACLs are designed to be aware of the echo/echo-reply pairing.> > "If
the original triggering packet is a protocol other than TCP or UDP, port>
numbers do not apply, and other criteria are specified. For example, for>
ICMP, type numbers are used: the temporary entry specifies the same type>
number as the original packet (with only one exception: if the original ICMP>
packet is type 8, the returning ICMP packet must be type 0 to be matched)."> >
So unless you are limiting what outbound stuff you wanted to happen.> > HTH,>
> > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
JNCIE-M> #153, JNCIS-ER, CISSP, et al.> CCSI/JNCI-M/JNCI-ER> VP - Technical
Training - IPexpert, Inc.> IPexpert Sr. Technical Instructor> >
smorris@ipexpert.com> > > > Telephone: +1.810.326.1444> Fax: +1.810.454.0130>
http://www.ipexpert.com> > > > > > -----Original Message-----> From:
nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of>
steveaggie@gmail.com> Sent: Thursday, March 27, 2008 9:04 AM> To: 'Mike
Haddad'; ccielab@groupstudy.com> Subject: RE: Reflexive ACL question IE
Solutions Guide> > If ICMP needs to transit the router and BB1 pings a router
on the other side> of R5 how will the echo-reply get back out? It needs to be
permitted> outbound which would be covered by the line you question.> > >
-----Original Message-----> From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On Behalf Of Mike> Haddad> Sent: Thursday,
March 27, 2008 1:20 AM> To: ccielab@groupstudy.com> Subject: Reflexive ACL
question IE Solutions Guide> > Hello,> > The question says allow ICMP to
transit your router. The ACL represented> in the IE Solutions guide is as
follows:> > ip access-list extended INBOUND> permit icmp any any echo> permit
icmp any any echo-reply> permit ospf any any> evaluate REFLEXIVE> > ip
access-list extended OUTBOUND> permit icmp any any echo> permit icmp any any
echo-reply -> I think this irrelevant since we will> never match an ICMP
echo-reply on outbound traffic. Even if the ICMP came> from BB1 for example
the routers behind this router will echo back permit> tcp any any reflect
REFLEXIVE permit udp any any reflect REFLEXIVE> > > Please see my note above.
Am I correct?> Regards,> > >
This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:54 ART