RE: ACL Gurus [7:27361]

Mon, 26 Nov 2001 19:36:54 -0800 

"My understanding is ICMP is not a subset of IP or anything with IP
protocol.
ICMP and IP both work at the network layer and are separate protocols."
Bzzt.  You are the weakest link.  Goodbye ;-)

ICMP is IP protocol 1 (TCP is 6, UDP is 17).  ICMP stands for Internet
Control Message Protocol, which is a bit of a hint that it might be related
to IP (although hardly strong evidence).  According to TCP/IP Illustrated
(Stevens); "ICMP is often considered part of the IP layer", so you're
correct there, but "ICMP messages are transmitted within IP datagrams", so
your "permit ip any any" will permit ICMP.
And anyway, I use "permit ip any any" to define interesting traffic on some
dialup links, and I can bring up the links with a well-directed ping.  So I
know IP includes ICMP ;-)

JMcL
----- Forwarded by Jenny Mcleod/NSO/CSDA on 27/11/2001 02:09 pm -----
                                                                                       
    
                   
"Scott
                    Nawalaniec"          To:    
[EMAIL PROTECTED]
                                    Subject:     RE: ACL Gurus
[7:27361]
                    Sent
by:
                   
nobody@groups
                   
tudy.com
                                                                                       
    
                                                                                       
    
                   
27/11/2001
                    11:29
am
                   
Please
                    respond
to
                   
"Scott
                   
Nawalaniec"
                                                                                       
    
                                                                                       
    




Hello,

Good call on the "access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo
(equivalent to your
two lines)"

My understanding is ICMP is not a subset of IP or anything with IP
protocol.
ICMP and IP both work at the network layer and are separate protocols. So
you would not need the "access-list 102 deny icmp any any  (may as well
block all other icmp)" or "access-list 102 deny icmp any any  (may as well
block all other icmp)" because the implicit deny at the end should take
care
of dropping the unwanted protocols. Please correct me if I am wrong.

What about udp and tcp protocols? The implicit deny would drop all
protocols
at the end.

Scott

-----Original Message-----
From: Gaz [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 26, 2001 3:56 PM
To: [EMAIL PROTECTED]
Subject: Re: ACL Gurus [7:27361]


My view/guestimation only here, so anyone is welcome to pick holes in it:

I would apply 101 (the outgoing access list to the ethernet port). May as
well drop the rubbish before the router processes it.
I would also make it:

access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo  (equivalent to
your
two lines)
access-list 101 deny icmp any any (denies all other icmp, otherwise your
next line allowed everything including icmp)
access-list 101 permit ip any any

I would apply 102 as you have on the serial interface, with slight change.

access-list 102 permit icmp any any echo-reply  (presumably as you allowed
echo outgoing, you want the replies)
access-list 102 deny icmp any any  (may as well block all other icmp)
access-list 102 permit ip any any

Of course this is just fictional to control icmp only.
I've changed it about 4 times, so I've no doubt it could take some more
changes.

Regards,

Gaz


""Matthew Tayler""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Ok I am a little confused here, but
>
> 1. What does access-list 101 actually deny ?
> 2. If you permit all ip are you not also allowing all tcp & udp ?
>
> Matt T
> Jeff wrote:
> >
> > Looking to block icmp-echo on my external router... just want
> > to doublecheck
> > that I'm putting these on the right interfaces. Please,
> > suggestions welcome!
> >
> > Cheers,
> > Jeff
> > access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo
> >
> > access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo
> >
> > *Permits internal network to ping any host
> >
> > access-list 101 permit ip any any
> >
> > *Permits any other traffic to and from the network. Need for
> > the explicit
> > deny
> >
> >
> >
> > access-list 102 permit icmp host x.x.x.x any echo-reply
> >
> > *Permits a ping reply from ISP servers for monitoring
> >
> > access-list 102 permit icmp any any packet-too-big
> >
> > *Permits Fragmentation Required ICMP packets (Used of MTU-PD)
> >
> > access-list 102 deny   icmp any any echo-reply
> >
> > deny any echo reply from any other sources
> >
> >
> >
> > access-list 102 deny   icmp any x.x.54.0 0.0.0.255 echo
> >
> > access-list 102 deny   icmp any x.x.55.0 0.0.0.255 echo
> >
> > deny any echo from any other sources
> >
> > access-list 102 permit ip any any
> >
> > *Permits any other traffic to and from the network. Needed due
> > to the
> > explicit deny rule.
> >
> >
> >
> > Both Access-list are applied to the Serial Interfaces of the
> > Edge router.
> > Access list 102 is assigned to inbound traffic and Access list
> > 101 is
> > assigned to outbound traffic. See below..
> >
> >
> >
> > Internet (same ISP, different BGP peers)
> >
> >
> >
> > S0/0               S0/1
> >
> >    \                      /
> >
> >     \                    /
> >
> >      \                  /
> >
> >       Edge Router
> >
> >               |
> >
> >            E0/0
> >
> >               |
> >
> >            FW
> >
> >               |
> >
> >            LAN
> >
> > x.x.54.0 and x.x.55.0 networks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=27416&t=27361
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to