STOP THE PINGS! Help with IOS Access-List please.

Discussion in 'Cisco' started by Eric, Oct 23, 2003.

  1. Eric

    Eric Guest

    I have a 2610 between the Internet (via T1) and our Pix firewall.
    Currently its access list is wide open, allowing the firewall to do
    all the dirty work. Since September we've been getting a lot pings
    which get denied at the Pix. This is all fine and dandy except our
    Pix Syslog has grown huge and unwieldy with all the Error messages
    from the denied ICMP packets.

    So, a simple solution, I think, would be to change the access-list on
    the 2610 to deny the ICMP packets there so that they never hit the
    firewall. However, I still want to be able to ping outbound from
    within the network, through the pix (works already) and through the
    gateway router (the 2610).

    Access-lists have me confused.

    So far, I think this is what I need to do:

    access-list 101 deny icmp any any
    access-list 101 permit tcp any any
    access-list 101 permit udp any any
    access-list 101 permit gre any any
    access-list 101 permit esp any any
    ((the last 4 lines are existing, although I'm not certain why they
    have to be there))
    ....

    interface serial0/0
    ip access-group 101 in
    ....etc...

    BUT - I'm worried that will stop all returning ICMP traffic such as
    echoes from when I ping a host on the Internet. Will someone please
    confirm if I am correct?

    Your considerate and insightful replies are sincerely appreciated!

    -Eric Brander
     
    Eric, Oct 23, 2003
    #1
    1. Advertising

  2. On 23 Oct 2003 11:48:56 -0700, Eric wrote:
    > I have a 2610 between the Internet (via T1) and our Pix firewall.
    > Currently its access list is wide open, allowing the firewall to do
    > all the dirty work. Since September we've been getting a lot pings
    > which get denied at the Pix. This is all fine and dandy except our
    > Pix Syslog has grown huge and unwieldy with all the Error messages
    > from the denied ICMP packets.
    >
    > So, a simple solution, I think, would be to change the access-list on
    > the 2610 to deny the ICMP packets there so that they never hit the
    > firewall. However, I still want to be able to ping outbound from
    > within the network, through the pix (works already) and through the
    > gateway router (the 2610).
    >
    > Access-lists have me confused.
    >
    > So far, I think this is what I need to do:
    >
    > access-list 101 deny icmp any any


    NO - don't ever deny all ICMP, it breaks path MTU discovery.

    > access-list 101 permit tcp any any
    > access-list 101 permit udp any any
    > access-list 101 permit gre any any
    > access-list 101 permit esp any any
    > ((the last 4 lines are existing, although I'm not certain why they
    > have to be there))
    > ...
    >
    > interface serial0/0
    > ip access-group 101 in
    > ...etc...
    >
    > BUT - I'm worried that will stop all returning ICMP traffic such as
    > echoes from when I ping a host on the Internet. Will someone please
    > confirm if I am correct?


    Correct, but much more seriously see above.

    > Your considerate and insightful replies are sincerely appreciated!


    Just use

    access-list 101 deny icmp any any echo
    access-list 101 permit ip any any

    --
    Jesper Skriver, CCIE #5456, FreeBSD committer
     
    Jesper Skriver, Oct 23, 2003
    #2
    1. Advertising

  3. Eric

    hktco Guest

    The following config code will allow your returning icmp traffic back
    to your network so that you can ping and traceroute from the internal
    network.

    hktco.

    ===========

    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any source-quench
    access-list 101 permit icmp any any unreachable
    access-list 101 permit icmp any any time-exceeded
    access-list 101 deny icmp any any
    access-list 101 permit tcp any any
    access-list 101 permit udp any any
    access-list 101 permit gre any any
    access-list 101 permit esp any any


    (Eric) wrote in message news:<>...
    > I have a 2610 between the Internet (via T1) and our Pix firewall.
    > Currently its access list is wide open, allowing the firewall to do
    > all the dirty work. Since September we've been getting a lot pings
    > which get denied at the Pix. This is all fine and dandy except our
    > Pix Syslog has grown huge and unwieldy with all the Error messages
    > from the denied ICMP packets.
    >
    > So, a simple solution, I think, would be to change the access-list on
    > the 2610 to deny the ICMP packets there so that they never hit the
    > firewall. However, I still want to be able to ping outbound from
    > within the network, through the pix (works already) and through the
    > gateway router (the 2610).
    >
    > Access-lists have me confused.
    >
    > So far, I think this is what I need to do:
    >
    > access-list 101 deny icmp any any
    > access-list 101 permit tcp any any
    > access-list 101 permit udp any any
    > access-list 101 permit gre any any
    > access-list 101 permit esp any any
    > ((the last 4 lines are existing, although I'm not certain why they
    > have to be there))
    > ...
    >
    > interface serial0/0
    > ip access-group 101 in
    > ...etc...
    >
    > BUT - I'm worried that will stop all returning ICMP traffic such as
    > echoes from when I ping a host on the Internet. Will someone please
    > confirm if I am correct?
    >
    > Your considerate and insightful replies are sincerely appreciated!
    >
    > -Eric Brander
     
    hktco, Oct 23, 2003
    #3
  4. In article <bn9je3$utl49$-berlin.de>,
    Steve Wolfe <> wrote:
    :> access-list 101 permit icmp any any echo-reply
    :> access-list 101 permit icmp any any source-quench
    :> access-list 101 permit icmp any any unreachable
    :> access-list 101 permit icmp any any time-exceeded
    :> access-list 101 deny icmp any any
    :> access-list 101 permit tcp any any
    :> access-list 101 permit udp any any
    :> access-list 101 permit gre any any
    :> access-list 101 permit esp any any

    : Couldn't that be shortened to:

    :access-list 101 permit icmp any any echo-reply
    :access-list 101 permit icmp any any source-quench
    :access-list 101 permit icmp any any unreachable
    :access-list 101 permit icmp any any time-exceeded
    :access-list 101 deny icmp any any
    :access-list 101 permit ip any any

    No, because there are other IP protocols that are not icmp, tcp, udp,
    gre, or esp. AH for example. The implicit deny at the end of the first
    version would deny AH but your proposed version would permit AH.


    : In the case of ICMP, the first matching access list will be either deny
    :eek:r permit, and the processing will stop there, without reaching the
    :"permit ip any any", won't it?

    Correct.
    --
    The Knights Of The Lambda Calculus aren't dead --this is their normal form!
     
    Walter Roberson, Oct 23, 2003
    #4
  5. Eric

    Steve Wolfe Guest

    > access-list 101 permit icmp any any echo-reply
    > access-list 101 permit icmp any any source-quench
    > access-list 101 permit icmp any any unreachable
    > access-list 101 permit icmp any any time-exceeded
    > access-list 101 deny icmp any any
    > access-list 101 permit tcp any any
    > access-list 101 permit udp any any
    > access-list 101 permit gre any any
    > access-list 101 permit esp any any


    Couldn't that be shortened to:

    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any source-quench
    access-list 101 permit icmp any any unreachable
    access-list 101 permit icmp any any time-exceeded
    access-list 101 deny icmp any any
    access-list 101 permit ip any any

    In the case of ICMP, the first matching access list will be either deny
    or permit, and the processing will stop there, without reaching the
    "permit ip any any", won't it?

    steve
     
    Steve Wolfe, Oct 23, 2003
    #5
  6. In article <bn9jkv$q3c$>,
    Walter Roberson <-cnrc.gc.ca> wrote:
    >In article <bn9je3$utl49$-berlin.de>,
    >Steve Wolfe <> wrote:
    >:> access-list 101 permit icmp any any echo-reply
    >:> access-list 101 permit icmp any any source-quench
    >:> access-list 101 permit icmp any any unreachable
    >:> access-list 101 permit icmp any any time-exceeded
    >:> access-list 101 deny icmp any any
    >:> access-list 101 permit tcp any any
    >:> access-list 101 permit udp any any
    >:> access-list 101 permit gre any any
    >:> access-list 101 permit esp any any
    >
    >: Couldn't that be shortened to:
    >
    >:access-list 101 permit icmp any any echo-reply
    >:access-list 101 permit icmp any any source-quench
    >:access-list 101 permit icmp any any unreachable
    >:access-list 101 permit icmp any any time-exceeded
    >:access-list 101 deny icmp any any
    >:access-list 101 permit ip any any
    >
    >No, because there are other IP protocols that are not icmp, tcp, udp,
    >gre, or esp. AH for example. The implicit deny at the end of the first
    >version would deny AH but your proposed version would permit AH.


    The OP never said he wanted to block AH. He just wants to block incoming
    pings, and let the firewall deal with everything else.

    --
    Barry Margolin,
    Level(3), Woburn, MA
    *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
    Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
     
    Barry Margolin, Oct 23, 2003
    #6
  7. Program ended abnormally on 23/10/2003 14:48, Due to a catastrophic Eric
    error:
    > I have a 2610 between the Internet (via T1) and our Pix firewall.
    > Currently its access list is wide open, allowing the firewall to do
    > all the dirty work. Since September we've been getting a lot pings
    > which get denied at the Pix. This is all fine and dandy except our
    > Pix Syslog has grown huge and unwieldy with all the Error messages
    > from the denied ICMP packets.
    >
    > So, a simple solution, I think, would be to change the access-list on
    > the 2610 to deny the ICMP packets there so that they never hit the
    > firewall. However, I still want to be able to ping outbound from
    > within the network, through the pix (works already) and through the
    > gateway router (the 2610).
    >
    > Access-lists have me confused.
    >
    > So far, I think this is what I need to do:
    >
    > access-list 101 deny icmp any any
    > access-list 101 permit tcp any any
    > access-list 101 permit udp any any
    > access-list 101 permit gre any any
    > access-list 101 permit esp any any
    > ((the last 4 lines are existing, although I'm not certain why they
    > have to be there))
    > ...
    >
    > interface serial0/0
    > ip access-group 101 in
    > ...etc...
    >
    > BUT - I'm worried that will stop all returning ICMP traffic such as
    > echoes from when I ping a host on the Internet. Will someone please
    > confirm if I am correct?


    Yep. You access-list as it stands will block echo-replies coming back to your
    network as well.

    Change the first line to:

    access-list 101 deny icmp any any echo

    and keep the rest of the list as is.

    --
    Francois Labreque | The surest sign of the existence of extra-
    flabreque | terrestrial intelligence is that they never
    @ | bothered to come down here and visit us!
    videotron.ca | - Calvin
     
    Francois Labreque, Oct 23, 2003
    #7
  8. Eric

    Eric Guest

    (hktco) wrote in message news:<>...
    > The following config code will allow your returning icmp traffic back
    > to your network so that you can ping and traceroute from the internal
    > network.
    >
    > hktco.
    >
    > ===========
    >
    > access-list 101 permit icmp any any echo-reply
    > access-list 101 permit icmp any any source-quench
    > access-list 101 permit icmp any any unreachable
    > access-list 101 permit icmp any any time-exceeded
    > access-list 101 deny icmp any any
    > access-list 101 permit tcp any any
    > access-list 101 permit udp any any
    > access-list 101 permit gre any any
    > access-list 101 permit esp any any
    >



    My thanks to all!

    Eric Brander
     
    Eric, Oct 29, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?bGVubWFuNzQ=?=

    Says Internet Connected but No Web or EMail Access (pings ok thoug

    =?Utf-8?B?bGVubWFuNzQ=?=, Nov 1, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    910
    =?Utf-8?B?bGVubWFuNzQ=?=
    Nov 1, 2005
  2. Holger Isenberg
    Replies:
    0
    Views:
    846
    Holger Isenberg
    Nov 19, 2003
  3. Brian Bergin

    allow pings in ACL list

    Brian Bergin, Nov 24, 2003, in forum: Cisco
    Replies:
    3
    Views:
    10,187
    Walter Roberson
    Nov 25, 2003
  4. PS2 gamer
    Replies:
    6
    Views:
    7,220
    Hansang Bae
    Jun 9, 2004
  5. Mike Rahl
    Replies:
    1
    Views:
    1,349
    Trendkill
    May 30, 2007
Loading...

Share This Page