Hey Jeff, In access-list 102 I think you will have to allow echo reply from any network going to x.x.54.0 and x.x.55.0 or you will not be able to ping any host on the internet. I see that you have echo reply from "access-list 102 permit icmp host x.x.x.x any echo-reply" if this is the only machine you want a echo reply from then disregard previous statement.
On access-list 101, you are not allowing tcp or udp going outbound? What will do you transport layer stuff? Don't know if this helps.... Might even confuse you more...... Scott -----Original Message----- From: Jeff [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 11:34 AM To: [EMAIL PROTECTED] Subject: ACL Gurus [7:27361] Looking to block icmp-echo on my external router... just want to doublecheck that I'm putting these on the right interfaces. Please, suggestions welcome! Cheers, Jeff access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo *Permits internal network to ping any host access-list 101 permit ip any any *Permits any other traffic to and from the network. Need for the explicit deny access-list 102 permit icmp host x.x.x.x any echo-reply *Permits a ping reply from ISP servers for monitoring access-list 102 permit icmp any any packet-too-big *Permits Fragmentation Required ICMP packets (Used of MTU-PD) access-list 102 deny icmp any any echo-reply deny any echo reply from any other sources access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo deny any echo from any other sources access-list 102 permit ip any any *Permits any other traffic to and from the network. Needed due to the explicit deny rule. Both Access-list are applied to the Serial Interfaces of the Edge router. Access list 102 is assigned to inbound traffic and Access list 101 is assigned to outbound traffic. See below.. Internet (same ISP, different BGP peers) S0/0 S0/1 \ / \ / \ / Edge Router | E0/0 | FW | LAN x.x.54.0 and x.x.55.0 networks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27375&t=27361 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
