Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > filtering icmp by code on access-lists

Reply
Thread Tools

filtering icmp by code on access-lists

 
 
fradeljuka
Guest
Posts: n/a
 
      12-15-2004
hello group,

i have the assignment to filter icmp traffic from outside (companys
wan) to inside (companys lan) an every cisco wan router in my companys
locations.
ping and traceroute MUST work any longer.

in cause of this i will enhance the existing outgoing access-lists on
the lan interface with the following commands. i've tried this localy
with a 3550 switch an two notebooks but it doesn't work exactly how it
should in my opinion...

ip access-list permit tcp any any established
ip access-list permit udp any any gt 1024
....
# host an networks wich must be reachable from outside
....
# this is how i want to filter icmp
ip access-list 100 permit icmp any any echo
ip access-list 100 permit icmp any any echo-reply
#
deny ip any any log

[OUTSIDE] notebook <--> cisco 3550 <-[ACL]> notebook b [INSIDE]

ping and traceroute works fine but i still receive "network
unreachable" and "time exceeded" messages as a result of a ping in
both directions.

shouldn't this be blocked by the acl because it's icmp unreachable /
time-exceeded?
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      12-15-2004
In article <(E-Mail Removed) >,
fradeljuka <(E-Mail Removed)> wrote:
:i have the assignment to filter icmp traffic from outside (companys
:wan) to inside (companys lan) an every cisco wan router in my companys
:locations.
ing and traceroute MUST work any longer.

:in cause of this i will enhance the existing outgoing access-lists on
:the lan interface with the following commands.

outgoing access-lists do not affect any packet generated by
the router itself, unless you take special steps to ensure that it
does (which might not be available on all devices.)


:# this is how i want to filter icmp
:ip access-list 100 permit icmp any any echo
:ip access-list 100 permit icmp any any echo-reply

and you later indicate not wanting to receive icmp unreachable
messages. If that is your assignment, then you should object to
it, as it is bad networking practice! You are breaking
Path MTU Discovery (PMTUD) if you do not allow through
icmp unreachable fragmentation-needed.

NB: on many cisco devices, to get rid of icmp unreachable
messages, you would configure no icmp unreachables at the
interface level.
--
Entropy is the logarithm of probability -- Boltzmann
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pings and PIX messages 302020: Built ICMP - 302021: Teardown ICMP Lots of them.... Scott Townsend Cisco 2 05-04-2006 02:31 PM
How to block Welchia 92 byte ICMP packets Douw Gerber Cisco 1 11-13-2003 02:50 PM
Cisco 67x and icmp ... Henrik Koksby Hansen Cisco 1 10-20-2003 08:00 PM
Cisco 678 CBOS 2.4.6 problems with icmp ... Henrik Koksby Hansen Cisco 0 10-16-2003 10:03 AM
Access-lists for IP protocols other than TCP/UDP/ICMP PJML Cisco 4 07-17-2003 07:57 PM



Advertisments