Looking to block icmp-echo on my external router... just want to doublecheck
that I'm putting these on the right interfaces. Please, suggestions welcome!
Cheers,
Jeff
access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo
access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo
*Permits internal network to ping any host
access-list 101 permit ip any any
*Permits any other traffic to and from the network. Need for the explicit
deny
access-list 102 permit icmp host x.x.x.x any echo-reply
*Permits a ping reply from ISP servers for monitoring
access-list 102 permit icmp any any packet-too-big
*Permits Fragmentation Required ICMP packets (Used of MTU-PD)
access-list 102 deny icmp any any echo-reply
deny any echo reply from any other sources
access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo
access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo
deny any echo from any other sources
access-list 102 permit ip any any
*Permits any other traffic to and from the network. Needed due to the
explicit deny rule.
Both Access-list are applied to the Serial Interfaces of the Edge router.
Access list 102 is assigned to inbound traffic and Access list 101 is
assigned to outbound traffic. See below..
Internet (same ISP, different BGP peers)
S0/0 S0/1
\ /
\ /
\ /
Edge Router
|
E0/0
|
FW
|
LAN
x.x.54.0 and x.x.55.0 networks
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=27361&t=27361
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
