filtering icmp by code on access-lists
DComTalk.com Forum Index DComTalk.com
Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web dcomtalk.com
filtering icmp by code on access-lists

 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco
Author Message
fradeljuka
Guest
Posted: Wed Dec 15, 2004 7:03 pm    Post subject: filtering icmp by code on access-lists Reply with quote
hello group,

i have the assignment to filter icmp traffic from outside (companys
wan) to inside (companys lan) an every cisco wan router in my companys
locations.
ping and traceroute MUST work any longer.

in cause of this i will enhance the existing outgoing access-lists on
the lan interface with the following commands. i've tried this localy
with a 3550 switch an two notebooks but it doesn't work exactly how it
should in my opinion...

ip access-list permit tcp any any established
ip access-list permit udp any any gt 1024
....
# host an networks wich must be reachable from outside
....
# this is how i want to filter icmp
ip access-list 100 permit icmp any any echo
ip access-list 100 permit icmp any any echo-reply
#
deny ip any any log

[OUTSIDE] notebook <--> cisco 3550 <-[ACL]> notebook b [INSIDE]

ping and traceroute works fine but i still receive "network
unreachable" and "time exceeded" messages as a result of a ping in
both directions.

shouldn't this be blocked by the acl because it's icmp unreachable /
time-exceeded?
Back to top
Walter Roberson
Guest
Posted: Wed Dec 15, 2004 10:23 pm    Post subject: Re: filtering icmp by code on access-lists Reply with quote
In article <e4bd0b58.0412150603.302139b1@posting.google.com>,
fradeljuka <fradeljuka@yahoo.de> wrote:
:i have the assignment to filter icmp traffic from outside (companys
:wan) to inside (companys lan) an every cisco wan router in my companys
:locations.
:ping and traceroute MUST work any longer.

:in cause of this i will enhance the existing outgoing access-lists on
:the lan interface with the following commands.

outgoing access-lists do not affect any packet generated by
the router itself, unless you take special steps to ensure that it
does (which might not be available on all devices.)


:# this is how i want to filter icmp
:ip access-list 100 permit icmp any any echo
:ip access-list 100 permit icmp any any echo-reply

and you later indicate not wanting to receive icmp unreachable
messages. If that is your assignment, then you should object to
it, as it is bad networking practice! You are breaking
Path MTU Discovery (PMTUD) if you do not allow through
icmp unreachable fragmentation-needed.

NB: on many cisco devices, to get rid of icmp unreachable
messages, you would configure no icmp unreachables at the
interface level.
--
Entropy is the logarithm of probability -- Boltzmann
Back to top
 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




VoIP Solutions: Telephone Systems Electronics Satellite TV Tech & Gadgets
Powered by phpBB