Ok I am a little confused here, but 1. What does access-list 101 actually deny ? 2. If you permit all ip are you not also allowing all tcp & udp ?
Matt T Jeff wrote: > > Looking to block icmp-echo on my external router... just want > to doublecheck > that I'm putting these on the right interfaces. Please, > suggestions welcome! > > Cheers, > Jeff > access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo > > access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo > > *Permits internal network to ping any host > > access-list 101 permit ip any any > > *Permits any other traffic to and from the network. Need for > the explicit > deny > > > > access-list 102 permit icmp host x.x.x.x any echo-reply > > *Permits a ping reply from ISP servers for monitoring > > access-list 102 permit icmp any any packet-too-big > > *Permits Fragmentation Required ICMP packets (Used of MTU-PD) > > access-list 102 deny icmp any any echo-reply > > deny any echo reply from any other sources > > > > access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo > > access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo > > deny any echo from any other sources > > access-list 102 permit ip any any > > *Permits any other traffic to and from the network. Needed due > to the > explicit deny rule. > > > > Both Access-list are applied to the Serial Interfaces of the > Edge router. > Access list 102 is assigned to inbound traffic and Access list > 101 is > assigned to outbound traffic. See below.. > > > > Internet (same ISP, different BGP peers) > > > > S0/0 S0/1 > > \ / > > \ / > > \ / > > Edge Router > > | > > E0/0 > > | > > FW > > | > > LAN > > x.x.54.0 and x.x.55.0 networks > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27392&t=27361 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
