filtering icmp by code on access-lists

Discussion in 'Cisco' started by fradeljuka, Dec 15, 2004.

  1. fradeljuka

    fradeljuka Guest

    hello group,

    i have the assignment to filter icmp traffic from outside (companys
    wan) to inside (companys lan) an every cisco wan router in my companys
    locations.
    ping and traceroute MUST work any longer.

    in cause of this i will enhance the existing outgoing access-lists on
    the lan interface with the following commands. i've tried this localy
    with a 3550 switch an two notebooks but it doesn't work exactly how it
    should in my opinion...

    ip access-list permit tcp any any established
    ip access-list permit udp any any gt 1024
    ....
    # host an networks wich must be reachable from outside
    ....
    # this is how i want to filter icmp
    ip access-list 100 permit icmp any any echo
    ip access-list 100 permit icmp any any echo-reply
    #
    deny ip any any log

    [OUTSIDE] notebook <--> cisco 3550 <-[ACL]> notebook b [INSIDE]

    ping and traceroute works fine but i still receive "network
    unreachable" and "time exceeded" messages as a result of a ping in
    both directions.

    shouldn't this be blocked by the acl because it's icmp unreachable /
    time-exceeded?
    fradeljuka, Dec 15, 2004
    #1
    1. Advertising

  2. In article <>,
    fradeljuka <> wrote:
    :i have the assignment to filter icmp traffic from outside (companys
    :wan) to inside (companys lan) an every cisco wan router in my companys
    :locations.
    :ping and traceroute MUST work any longer.

    :in cause of this i will enhance the existing outgoing access-lists on
    :the lan interface with the following commands.

    outgoing access-lists do not affect any packet generated by
    the router itself, unless you take special steps to ensure that it
    does (which might not be available on all devices.)


    :# this is how i want to filter icmp
    :ip access-list 100 permit icmp any any echo
    :ip access-list 100 permit icmp any any echo-reply

    and you later indicate not wanting to receive icmp unreachable
    messages. If that is your assignment, then you should object to
    it, as it is bad networking practice! You are breaking
    Path MTU Discovery (PMTUD) if you do not allow through
    icmp unreachable fragmentation-needed.

    NB: on many cisco devices, to get rid of icmp unreachable
    messages, you would configure no icmp unreachables at the
    interface level.
    --
    Entropy is the logarithm of probability -- Boltzmann
    Walter Roberson, Dec 15, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. PJML
    Replies:
    4
    Views:
    755
  2. Scott Townsend
    Replies:
    2
    Views:
    10,099
    Scott Townsend
    May 4, 2006
  3. VWWall

    Lists of Lists

    VWWall, Oct 20, 2004, in forum: Computer Information
    Replies:
    2
    Views:
    484
    VWWall
    Oct 21, 2004
  4. ICMP access list

    , Oct 9, 2006, in forum: Cisco
    Replies:
    6
    Views:
    1,102
  5. mak
    Replies:
    4
    Views:
    1,010
Loading...

Share This Page