My view/guestimation only here, so anyone is welcome to pick holes in it: I would apply 101 (the outgoing access list to the ethernet port). May as well drop the rubbish before the router processes it. I would also make it:
access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) access-list 101 deny icmp any any (denies all other icmp, otherwise your next line allowed everything including icmp) access-list 101 permit ip any any I would apply 102 as you have on the serial interface, with slight change. access-list 102 permit icmp any any echo-reply (presumably as you allowed echo outgoing, you want the replies) access-list 102 deny icmp any any (may as well block all other icmp) access-list 102 permit ip any any Of course this is just fictional to control icmp only. I've changed it about 4 times, so I've no doubt it could take some more changes. Regards, Gaz ""Matthew Tayler"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Ok I am a little confused here, but > > 1. What does access-list 101 actually deny ? > 2. If you permit all ip are you not also allowing all tcp & udp ? > > Matt T > Jeff wrote: > > > > Looking to block icmp-echo on my external router... just want > > to doublecheck > > that I'm putting these on the right interfaces. Please, > > suggestions welcome! > > > > Cheers, > > Jeff > > access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo > > > > access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo > > > > *Permits internal network to ping any host > > > > access-list 101 permit ip any any > > > > *Permits any other traffic to and from the network. Need for > > the explicit > > deny > > > > > > > > access-list 102 permit icmp host x.x.x.x any echo-reply > > > > *Permits a ping reply from ISP servers for monitoring > > > > access-list 102 permit icmp any any packet-too-big > > > > *Permits Fragmentation Required ICMP packets (Used of MTU-PD) > > > > access-list 102 deny icmp any any echo-reply > > > > deny any echo reply from any other sources > > > > > > > > access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo > > > > access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo > > > > deny any echo from any other sources > > > > access-list 102 permit ip any any > > > > *Permits any other traffic to and from the network. Needed due > > to the > > explicit deny rule. > > > > > > > > Both Access-list are applied to the Serial Interfaces of the > > Edge router. > > Access list 102 is assigned to inbound traffic and Access list > > 101 is > > assigned to outbound traffic. See below.. > > > > > > > > Internet (same ISP, different BGP peers) > > > > > > > > S0/0 S0/1 > > > > \ / > > > > \ / > > > > \ / > > > > Edge Router > > > > | > > > > E0/0 > > > > | > > > > FW > > > > | > > > > LAN > > > > x.x.54.0 and x.x.55.0 networks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27396&t=27361 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
