ok. For instance to allow ping outbound, we would have one outbound ACL with :
access-list 101 permit icmp any any echo and another inbound with: access-list 102 permit icmp any any echo-reply This would allow the responses to our outbound pings but stop anyone from the outside from initiateing a ping to a device behind ACL 102. Does that sound correct? Anthony Pace ""Gaz"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I don't think you will see the source as echo reply. By that, I mean that > the echo reply will only be evident in the destination. The source could be > any port. > Remember ICMP is the odd protocol, which has to be allowed both ways through > a firewall, because the reply is a totally separate session. > > If you telnet from A to B. The destination port is 23. In the reply from B > to A 'source' port is 23. > If you use ping though for example, from A to B. The destination will be > echo. In the reply from B to A, the source will not be 'echo' it could be > anything. The important part will be the destination port which is > 'echo-reply'. > > > Hope I haven't confused. Hope even more that I haven't errored. > > > Gaz > > > ""Anthony Pace"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > for instance : > > > > access-list 101 permit icmp any host 207.122.1.5 echo > > access-list 101 permit icmp host 207.122.2.3 any echo-reply > > > > but not > > > > access-list 101 permit icmp any echo-reply any > > > > Anthony Pace Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42606&t=42606 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
