Sounds like a good approach. I tried to find a paper at Cisco's site that has recommendations with regards to security, ICMP, and access lists, and couldn't find one. I hate being thwarted like this! ;-) Anyone have a URL?
Thanks, Priscilla Brian wrote: > > there are a ton of icmp message types, the block is likely > preventing you > from getting some errors. A former coworker had a good idea > that went like > this, in this order. > > Permit all icmp from trusted monitoring hosts > deny icmp echo/echo-request from all > permit icmp from all > > Its a middle of the road approach, and some folks will tell > you its too > open. But, I happen to believe that receiving and processing > icmp errors is > better than putting them in the bit bucket. > > Brian > > ----- Original Message ----- > From: "ramesh c" > To: > Sent: Wednesday, January 08, 2003 5:32 AM > Subject: icmp messages [7:60602] > > > > I got access list as follows on my router > > > > access-list 100 permit icmp host any host xyz ttl-exceed > > access-list 100 deny icmp any any > > > > when I do a traceroute from host xyz,I get reply only from > some hosts .The > > Hitcounts on deny icmp icmp increases.the access-group is > applied to the > "in" > > > > > > Am I missing any other icmp messages?Is there a way to allow > all icmp > > messages for the host? > > > > Cheers > > > > > > _____________________________________________________________ > > Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for > $19.95/year. > > > http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60624&t=60602 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
