I knew that didn't sound right after I read it. Thank you for correcting me. I checked it out by using a sniffer and the ICMP packet is encapsulated with IP.
Thank you. Scott -----Original Message----- From: Kent Hundley [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 8:28 PM To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] TCP, UDP, ICMP and any other IP protocols all require IP to perform layer 3 related functions. In fact, any application, session, transport or other layer software that is part of the TCP/IP suite uses IP for its layer 3 functions. They are all "subsets" of an IP packet since they are layered on top of IP in the protocol stack. All TCP, UDP and ICMP packets are also IP packets, just like all telnet packets are also TCP packets. When you say "permit IP any any" that includes all TCP, UDP and ICMP packets. If you want to permit/deny TCP, UDP or ICMP packets individually, you must do so explicitly and separately as the poster did in their original acl since "permit IP" means "permit TCP, UDP, ICMP and any other upper layer protocols that use IP like EIGRP, OSPF, etc. etc.". Bottom line, the "deny icmp any any" is needed because otherwise all ICMP packets would be permitted by the next acl entry "permit ip any any". -Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott Nawalaniec Sent: Monday, November 26, 2001 4:30 PM To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] Hello, Good call on the "access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines)" My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. So you would not need the "access-list 102 deny icmp any any (may as well block all other icmp)" or "access-list 102 deny icmp any any (may as well block all other icmp)" because the implicit deny at the end should take care of dropping the unwanted protocols. Please correct me if I am wrong. What about udp and tcp protocols? The implicit deny would drop all protocols at the end. Scott -----Original Message----- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 3:56 PM To: [EMAIL PROTECTED] Subject: Re: ACL Gurus [7:27361] My view/guestimation only here, so anyone is welcome to pick holes in it: I would apply 101 (the outgoing access list to the ethernet port). May as well drop the rubbish before the router processes it. I would also make it: access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) access-list 101 deny icmp any any (denies all other icmp, otherwise your next line allowed everything including icmp) access-list 101 permit ip any any I would apply 102 as you have on the serial interface, with slight change. access-list 102 permit icmp any any echo-reply (presumably as you allowed echo outgoing, you want the replies) access-list 102 deny icmp any any (may as well block all other icmp) access-list 102 permit ip any any Of course this is just fictional to control icmp only. I've changed it about 4 times, so I've no doubt it could take some more changes. Regards, Gaz ""Matthew Tayler"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Ok I am a little confused here, but > > 1. What does access-list 101 actually deny ? > 2. If you permit all ip are you not also allowing all tcp & udp ? > > Matt T > Jeff wrote: > > > > Looking to block icmp-echo on my external router... just want > > to doublecheck > > that I'm putting these on the right interfaces. Please, > > suggestions welcome! > > > > Cheers, > > Jeff > > access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo > > > > access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo > > > > *Permits internal network to ping any host > > > > access-list 101 permit ip any any > > > > *Permits any other traffic to and from the network. Need for > > the explicit > > deny > > > > > > > > access-list 102 permit icmp host x.x.x.x any echo-reply > > > > *Permits a ping reply from ISP servers for monitoring > > > > access-list 102 permit icmp any any packet-too-big > > > > *Permits Fragmentation Required ICMP packets (Used of MTU-PD) > > > > access-list 102 deny icmp any any echo-reply > > > > deny any echo reply from any other sources > > > > > > > > access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo > > > > access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo > > > > deny any echo from any other sources > > > > access-list 102 permit ip any any > > > > *Permits any other traffic to and from the network. Needed due > > to the > > explicit deny rule. > > > > > > > > Both Access-list are applied to the Serial Interfaces of the > > Edge router. > > Access list 102 is assigned to inbound traffic and Access list > > 101 is > > assigned to outbound traffic. See below.. > > > > > > > > Internet (same ISP, different BGP peers) > > > > > > > > S0/0 S0/1 > > > > \ / > > > > \ / > > > > \ / > > > > Edge Router > > > > | > > > > E0/0 > > > > | > > > > FW > > > > | > > > > LAN > > > > x.x.54.0 and x.x.55.0 networks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27434&t=27361 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
