RE: ACL Gurus [7:27361]
Hi Anil, To the best of my knowledge and without looking it up at www.cisco.com, I think if you put log on the end an access-list statement it will send the log to the syslog server. I don't know if that is true in all cases. I like to keep my routers streamed lined.ie unnecessary services and buffers turned off=) OUTPUT from show log: Admin_3662#sh log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 723 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: disabled Trap logging: level debugging, 727 message lines logged Logging to X.X.X.X, 727 message lines logged HTH, Scott -Original Message- From: anil [mailto:[EMAIL PROTECTED]] Sent: Friday, December 07, 2001 12:58 PM To: Scott Nawalaniec Subject: RE: ACL Gurus [7:27361] Scott, If I add an access list with [log] at the end, can I expect to see the log by typing: show log At the moment I see nothing. I am trying to catch snmp traffic, using snmpwalk. port 161, 162. If I do debug snmp packets then I can see some logs. Many thanks -Anil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott Nawalaniec Sent: Tuesday, November 27, 2001 5:41 PM To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] Thanx for the info and the verification. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 7:25 PM To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. Bzzt. You are the weakest link. Goodbye ;-) ICMP is IP protocol 1 (TCP is 6, UDP is 17). ICMP stands for Internet Control Message Protocol, which is a bit of a hint that it might be related to IP (although hardly strong evidence). According to TCP/IP Illustrated (Stevens); ICMP is often considered part of the IP layer, so you're correct there, but ICMP messages are transmitted within IP datagrams, so your permit ip any any will permit ICMP. And anyway, I use permit ip any any to define interesting traffic on some dialup links, and I can bring up the links with a well-directed ping. So I know IP includes ICMP ;-) JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 27/11/2001 02:09 pm - Scott Nawalaniec To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] Sent by: nobody@groups tudy.com 27/11/2001 11:29 am Please respond to Scott Nawalaniec Hello, Good call on the access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. So you would not need the access-list 102 deny icmp any any (may as well block all other icmp) or access-list 102 deny icmp any any (may as well block all other icmp) because the implicit deny at the end should take care of dropping the unwanted protocols. Please correct me if I am wrong. What about udp and tcp protocols? The implicit deny would drop all protocols at the end. Scott -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 3:56 PM To: [EMAIL PROTECTED] Subject: Re: ACL Gurus [7:27361] My view/guestimation only here, so anyone is welcome to pick holes in it: I would apply 101 (the outgoing access list to the ethernet port). May as well drop the rubbish before the router processes it. I would also make it: access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) access-list 101 deny icmp any any (denies all other icmp, otherwise your next line allowed everything including icmp) access-list 101 permit ip any any I would apply 102 as you have on the serial interface, with slight change. access-list 102 permit icmp any any echo-reply (presumably as you allowed echo outgoing, you want the replies) access-list 102 deny icmp any any (may as well block all other icmp) access-list 102 permit ip any any Of course this is just fictional to control icmp only. I've changed it about 4 times, so I've no doubt it could take some more changes. Regards, Gaz Matthew Tayler wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Ok I am a little confused here, but 1. What does access-list 101 actually deny ? 2. If you permit all ip are you not also allowing all tcp udp ? Matt T Jeff wrote: Looking to block icmp-echo on my external router... just want to doublecheck that I'm putting these on the right interfaces. Please, suggestions welcome! Cheers, Jeff access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo access-list 101 permit icmp x.x.55.0 0
Re: ACL Gurus [7:27361]
Try enabling the interface configuration command ip accounting access-violations. This will log source/destination pairs which fail the access-list on the interface. Scott Nawalaniec wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Anil, To the best of my knowledge and without looking it up at www.cisco.com, I think if you put log on the end an access-list statement it will send the log to the syslog server. I don't know if that is true in all cases. I like to keep my routers streamed lined.ie unnecessary services and buffers turned off=) OUTPUT from show log: Admin_3662#sh log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 723 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: disabled Trap logging: level debugging, 727 message lines logged Logging to X.X.X.X, 727 message lines logged HTH, Scott -Original Message- From: anil [mailto:[EMAIL PROTECTED]] Sent: Friday, December 07, 2001 12:58 PM To: Scott Nawalaniec Subject: RE: ACL Gurus [7:27361] Scott, If I add an access list with [log] at the end, can I expect to see the log by typing: show log At the moment I see nothing. I am trying to catch snmp traffic, using snmpwalk. port 161, 162. If I do debug snmp packets then I can see some logs. Many thanks -Anil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott Nawalaniec Sent: Tuesday, November 27, 2001 5:41 PM To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] Thanx for the info and the verification. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 7:25 PM To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. Bzzt. You are the weakest link. Goodbye ;-) ICMP is IP protocol 1 (TCP is 6, UDP is 17). ICMP stands for Internet Control Message Protocol, which is a bit of a hint that it might be related to IP (although hardly strong evidence). According to TCP/IP Illustrated (Stevens); ICMP is often considered part of the IP layer, so you're correct there, but ICMP messages are transmitted within IP datagrams, so your permit ip any any will permit ICMP. And anyway, I use permit ip any any to define interesting traffic on some dialup links, and I can bring up the links with a well-directed ping. So I know IP includes ICMP ;-) JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 27/11/2001 02:09 pm - Scott Nawalaniec To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] Sent by: nobody@groups tudy.com 27/11/2001 11:29 am Please respond to Scott Nawalaniec Hello, Good call on the access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. So you would not need the access-list 102 deny icmp any any (may as well block all other icmp) or access-list 102 deny icmp any any (may as well block all other icmp) because the implicit deny at the end should take care of dropping the unwanted protocols. Please correct me if I am wrong. What about udp and tcp protocols? The implicit deny would drop all protocols at the end. Scott -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 3:56 PM To: [EMAIL PROTECTED] Subject: Re: ACL Gurus [7:27361] My view/guestimation only here, so anyone is welcome to pick holes in it: I would apply 101 (the outgoing access list to the ethernet port). May as well drop the rubbish before the router processes it. I would also make it: access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) access-list 101 deny icmp any any (denies all other icmp, otherwise your next line allowed everything including icmp) access-list 101 permit ip any any I would apply 102 as you have on the serial interface, with slight change. access-list 102 permit icmp any any echo-reply (presumably as you allowed echo outgoing, you want the replies) access-list 102 deny icmp any any (may as well block all other icmp) access-list 102 permit ip any any Of course this is just fictional to control icmp only. I've changed it about 4 times, so I've no doubt it could take some more changes. Regards, Gaz Matthew Tayler wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Ok I am a little confused here, but 1. What does access-list 101 actually de
RE: ACL Gurus [7:27361]
I knew that didn't sound right after I read it. Thank you for correcting me. I checked it out by using a sniffer and the ICMP packet is encapsulated with IP. Thank you. Scott -Original Message- From: Kent Hundley [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 8:28 PM To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] TCP, UDP, ICMP and any other IP protocols all require IP to perform layer 3 related functions. In fact, any application, session, transport or other layer software that is part of the TCP/IP suite uses IP for its layer 3 functions. They are all subsets of an IP packet since they are layered on top of IP in the protocol stack. All TCP, UDP and ICMP packets are also IP packets, just like all telnet packets are also TCP packets. When you say permit IP any any that includes all TCP, UDP and ICMP packets. If you want to permit/deny TCP, UDP or ICMP packets individually, you must do so explicitly and separately as the poster did in their original acl since permit IP means permit TCP, UDP, ICMP and any other upper layer protocols that use IP like EIGRP, OSPF, etc. etc.. Bottom line, the deny icmp any any is needed because otherwise all ICMP packets would be permitted by the next acl entry permit ip any any. -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott Nawalaniec Sent: Monday, November 26, 2001 4:30 PM To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] Hello, Good call on the access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. So you would not need the access-list 102 deny icmp any any (may as well block all other icmp) or access-list 102 deny icmp any any (may as well block all other icmp) because the implicit deny at the end should take care of dropping the unwanted protocols. Please correct me if I am wrong. What about udp and tcp protocols? The implicit deny would drop all protocols at the end. Scott -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 3:56 PM To: [EMAIL PROTECTED] Subject: Re: ACL Gurus [7:27361] My view/guestimation only here, so anyone is welcome to pick holes in it: I would apply 101 (the outgoing access list to the ethernet port). May as well drop the rubbish before the router processes it. I would also make it: access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) access-list 101 deny icmp any any (denies all other icmp, otherwise your next line allowed everything including icmp) access-list 101 permit ip any any I would apply 102 as you have on the serial interface, with slight change. access-list 102 permit icmp any any echo-reply (presumably as you allowed echo outgoing, you want the replies) access-list 102 deny icmp any any (may as well block all other icmp) access-list 102 permit ip any any Of course this is just fictional to control icmp only. I've changed it about 4 times, so I've no doubt it could take some more changes. Regards, Gaz Matthew Tayler wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Ok I am a little confused here, but 1. What does access-list 101 actually deny ? 2. If you permit all ip are you not also allowing all tcp udp ? Matt T Jeff wrote: Looking to block icmp-echo on my external router... just want to doublecheck that I'm putting these on the right interfaces. Please, suggestions welcome! Cheers, Jeff access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo *Permits internal network to ping any host access-list 101 permit ip any any *Permits any other traffic to and from the network. Need for the explicit deny access-list 102 permit icmp host x.x.x.x any echo-reply *Permits a ping reply from ISP servers for monitoring access-list 102 permit icmp any any packet-too-big *Permits Fragmentation Required ICMP packets (Used of MTU-PD) access-list 102 deny icmp any any echo-reply deny any echo reply from any other sources access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo deny any echo from any other sources access-list 102 permit ip any any *Permits any other traffic to and from the network. Needed due to the explicit deny rule. Both Access-list are applied to the Serial Interfaces of the Edge router. Access list 102 is assigned to inbound traffic and Access list 101 is assigned to outbound traffic. See below.. Internet (same ISP, different BGP peers) S0/0 S0/1 \ / \/ \ / Edg
RE: ACL Gurus [7:27361]
Thanx for the info and the verification. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 7:25 PM To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. Bzzt. You are the weakest link. Goodbye ;-) ICMP is IP protocol 1 (TCP is 6, UDP is 17). ICMP stands for Internet Control Message Protocol, which is a bit of a hint that it might be related to IP (although hardly strong evidence). According to TCP/IP Illustrated (Stevens); ICMP is often considered part of the IP layer, so you're correct there, but ICMP messages are transmitted within IP datagrams, so your permit ip any any will permit ICMP. And anyway, I use permit ip any any to define interesting traffic on some dialup links, and I can bring up the links with a well-directed ping. So I know IP includes ICMP ;-) JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 27/11/2001 02:09 pm - Scott Nawalaniec To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] Sent by: nobody@groups tudy.com 27/11/2001 11:29 am Please respond to Scott Nawalaniec Hello, Good call on the access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. So you would not need the access-list 102 deny icmp any any (may as well block all other icmp) or access-list 102 deny icmp any any (may as well block all other icmp) because the implicit deny at the end should take care of dropping the unwanted protocols. Please correct me if I am wrong. What about udp and tcp protocols? The implicit deny would drop all protocols at the end. Scott -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 3:56 PM To: [EMAIL PROTECTED] Subject: Re: ACL Gurus [7:27361] My view/guestimation only here, so anyone is welcome to pick holes in it: I would apply 101 (the outgoing access list to the ethernet port). May as well drop the rubbish before the router processes it. I would also make it: access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) access-list 101 deny icmp any any (denies all other icmp, otherwise your next line allowed everything including icmp) access-list 101 permit ip any any I would apply 102 as you have on the serial interface, with slight change. access-list 102 permit icmp any any echo-reply (presumably as you allowed echo outgoing, you want the replies) access-list 102 deny icmp any any (may as well block all other icmp) access-list 102 permit ip any any Of course this is just fictional to control icmp only. I've changed it about 4 times, so I've no doubt it could take some more changes. Regards, Gaz Matthew Tayler wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Ok I am a little confused here, but 1. What does access-list 101 actually deny ? 2. If you permit all ip are you not also allowing all tcp udp ? Matt T Jeff wrote: Looking to block icmp-echo on my external router... just want to doublecheck that I'm putting these on the right interfaces. Please, suggestions welcome! Cheers, Jeff access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo *Permits internal network to ping any host access-list 101 permit ip any any *Permits any other traffic to and from the network. Need for the explicit deny access-list 102 permit icmp host x.x.x.x any echo-reply *Permits a ping reply from ISP servers for monitoring access-list 102 permit icmp any any packet-too-big *Permits Fragmentation Required ICMP packets (Used of MTU-PD) access-list 102 deny icmp any any echo-reply deny any echo reply from any other sources access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo deny any echo from any other sources access-list 102 permit ip any any *Permits any other traffic to and from the network. Needed due to the explicit deny rule. Both Access-list are applied to the Serial Interfaces of the Edge router. Access list 102 is assigned to inbound traffic and Access list 101 is assigned to outbound traffic. See below.. Internet (same ISP, different BGP peers) S0/0
ACL Gurus [7:27361]
Looking to block icmp-echo on my external router... just want to doublecheck that I'm putting these on the right interfaces. Please, suggestions welcome! Cheers, Jeff access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo *Permits internal network to ping any host access-list 101 permit ip any any *Permits any other traffic to and from the network. Need for the explicit deny access-list 102 permit icmp host x.x.x.x any echo-reply *Permits a ping reply from ISP servers for monitoring access-list 102 permit icmp any any packet-too-big *Permits Fragmentation Required ICMP packets (Used of MTU-PD) access-list 102 deny icmp any any echo-reply deny any echo reply from any other sources access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo deny any echo from any other sources access-list 102 permit ip any any *Permits any other traffic to and from the network. Needed due to the explicit deny rule. Both Access-list are applied to the Serial Interfaces of the Edge router. Access list 102 is assigned to inbound traffic and Access list 101 is assigned to outbound traffic. See below.. Internet (same ISP, different BGP peers) S0/0 S0/1 \ / \/ \ / Edge Router | E0/0 | FW | LAN x.x.54.0 and x.x.55.0 networks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27361t=27361 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: ACL Gurus [7:27361]
Hey Jeff, In access-list 102 I think you will have to allow echo reply from any network going to x.x.54.0 and x.x.55.0 or you will not be able to ping any host on the internet. I see that you have echo reply from access-list 102 permit icmp host x.x.x.x any echo-reply if this is the only machine you want a echo reply from then disregard previous statement. On access-list 101, you are not allowing tcp or udp going outbound? What will do you transport layer stuff? Don't know if this helps Might even confuse you more.. Scott -Original Message- From: Jeff [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 11:34 AM To: [EMAIL PROTECTED] Subject: ACL Gurus [7:27361] Looking to block icmp-echo on my external router... just want to doublecheck that I'm putting these on the right interfaces. Please, suggestions welcome! Cheers, Jeff access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo *Permits internal network to ping any host access-list 101 permit ip any any *Permits any other traffic to and from the network. Need for the explicit deny access-list 102 permit icmp host x.x.x.x any echo-reply *Permits a ping reply from ISP servers for monitoring access-list 102 permit icmp any any packet-too-big *Permits Fragmentation Required ICMP packets (Used of MTU-PD) access-list 102 deny icmp any any echo-reply deny any echo reply from any other sources access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo deny any echo from any other sources access-list 102 permit ip any any *Permits any other traffic to and from the network. Needed due to the explicit deny rule. Both Access-list are applied to the Serial Interfaces of the Edge router. Access list 102 is assigned to inbound traffic and Access list 101 is assigned to outbound traffic. See below.. Internet (same ISP, different BGP peers) S0/0 S0/1 \ / \/ \ / Edge Router | E0/0 | FW | LAN x.x.54.0 and x.x.55.0 networks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27375t=27361 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ACL Gurus [7:27361]
Ok I am a little confused here, but 1. What does access-list 101 actually deny ? 2. If you permit all ip are you not also allowing all tcp udp ? Matt T Jeff wrote: Looking to block icmp-echo on my external router... just want to doublecheck that I'm putting these on the right interfaces. Please, suggestions welcome! Cheers, Jeff access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo *Permits internal network to ping any host access-list 101 permit ip any any *Permits any other traffic to and from the network. Need for the explicit deny access-list 102 permit icmp host x.x.x.x any echo-reply *Permits a ping reply from ISP servers for monitoring access-list 102 permit icmp any any packet-too-big *Permits Fragmentation Required ICMP packets (Used of MTU-PD) access-list 102 deny icmp any any echo-reply deny any echo reply from any other sources access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo deny any echo from any other sources access-list 102 permit ip any any *Permits any other traffic to and from the network. Needed due to the explicit deny rule. Both Access-list are applied to the Serial Interfaces of the Edge router. Access list 102 is assigned to inbound traffic and Access list 101 is assigned to outbound traffic. See below.. Internet (same ISP, different BGP peers) S0/0 S0/1 \ / \/ \ / Edge Router | E0/0 | FW | LAN x.x.54.0 and x.x.55.0 networks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27392t=27361 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ACL Gurus [7:27361]
My view/guestimation only here, so anyone is welcome to pick holes in it: I would apply 101 (the outgoing access list to the ethernet port). May as well drop the rubbish before the router processes it. I would also make it: access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) access-list 101 deny icmp any any (denies all other icmp, otherwise your next line allowed everything including icmp) access-list 101 permit ip any any I would apply 102 as you have on the serial interface, with slight change. access-list 102 permit icmp any any echo-reply (presumably as you allowed echo outgoing, you want the replies) access-list 102 deny icmp any any (may as well block all other icmp) access-list 102 permit ip any any Of course this is just fictional to control icmp only. I've changed it about 4 times, so I've no doubt it could take some more changes. Regards, Gaz Matthew Tayler wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Ok I am a little confused here, but 1. What does access-list 101 actually deny ? 2. If you permit all ip are you not also allowing all tcp udp ? Matt T Jeff wrote: Looking to block icmp-echo on my external router... just want to doublecheck that I'm putting these on the right interfaces. Please, suggestions welcome! Cheers, Jeff access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo *Permits internal network to ping any host access-list 101 permit ip any any *Permits any other traffic to and from the network. Need for the explicit deny access-list 102 permit icmp host x.x.x.x any echo-reply *Permits a ping reply from ISP servers for monitoring access-list 102 permit icmp any any packet-too-big *Permits Fragmentation Required ICMP packets (Used of MTU-PD) access-list 102 deny icmp any any echo-reply deny any echo reply from any other sources access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo deny any echo from any other sources access-list 102 permit ip any any *Permits any other traffic to and from the network. Needed due to the explicit deny rule. Both Access-list are applied to the Serial Interfaces of the Edge router. Access list 102 is assigned to inbound traffic and Access list 101 is assigned to outbound traffic. See below.. Internet (same ISP, different BGP peers) S0/0 S0/1 \ / \/ \ / Edge Router | E0/0 | FW | LAN x.x.54.0 and x.x.55.0 networks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27396t=27361 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ACL Gurus [7:27361]
Hello, Good call on the access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. So you would not need the access-list 102 deny icmp any any (may as well block all other icmp) or access-list 102 deny icmp any any (may as well block all other icmp) because the implicit deny at the end should take care of dropping the unwanted protocols. Please correct me if I am wrong. What about udp and tcp protocols? The implicit deny would drop all protocols at the end. Scott -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 3:56 PM To: [EMAIL PROTECTED] Subject: Re: ACL Gurus [7:27361] My view/guestimation only here, so anyone is welcome to pick holes in it: I would apply 101 (the outgoing access list to the ethernet port). May as well drop the rubbish before the router processes it. I would also make it: access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) access-list 101 deny icmp any any (denies all other icmp, otherwise your next line allowed everything including icmp) access-list 101 permit ip any any I would apply 102 as you have on the serial interface, with slight change. access-list 102 permit icmp any any echo-reply (presumably as you allowed echo outgoing, you want the replies) access-list 102 deny icmp any any (may as well block all other icmp) access-list 102 permit ip any any Of course this is just fictional to control icmp only. I've changed it about 4 times, so I've no doubt it could take some more changes. Regards, Gaz Matthew Tayler wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Ok I am a little confused here, but 1. What does access-list 101 actually deny ? 2. If you permit all ip are you not also allowing all tcp udp ? Matt T Jeff wrote: Looking to block icmp-echo on my external router... just want to doublecheck that I'm putting these on the right interfaces. Please, suggestions welcome! Cheers, Jeff access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo *Permits internal network to ping any host access-list 101 permit ip any any *Permits any other traffic to and from the network. Need for the explicit deny access-list 102 permit icmp host x.x.x.x any echo-reply *Permits a ping reply from ISP servers for monitoring access-list 102 permit icmp any any packet-too-big *Permits Fragmentation Required ICMP packets (Used of MTU-PD) access-list 102 deny icmp any any echo-reply deny any echo reply from any other sources access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo deny any echo from any other sources access-list 102 permit ip any any *Permits any other traffic to and from the network. Needed due to the explicit deny rule. Both Access-list are applied to the Serial Interfaces of the Edge router. Access list 102 is assigned to inbound traffic and Access list 101 is assigned to outbound traffic. See below.. Internet (same ISP, different BGP peers) S0/0 S0/1 \ / \/ \ / Edge Router | E0/0 | FW | LAN x.x.54.0 and x.x.55.0 networks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27404t=27361 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ACL Gurus [7:27361]
My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. Bzzt. You are the weakest link. Goodbye ;-) ICMP is IP protocol 1 (TCP is 6, UDP is 17). ICMP stands for Internet Control Message Protocol, which is a bit of a hint that it might be related to IP (although hardly strong evidence). According to TCP/IP Illustrated (Stevens); ICMP is often considered part of the IP layer, so you're correct there, but ICMP messages are transmitted within IP datagrams, so your permit ip any any will permit ICMP. And anyway, I use permit ip any any to define interesting traffic on some dialup links, and I can bring up the links with a well-directed ping. So I know IP includes ICMP ;-) JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 27/11/2001 02:09 pm - Scott Nawalaniec To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] Sent by: nobody@groups tudy.com 27/11/2001 11:29 am Please respond to Scott Nawalaniec Hello, Good call on the access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. So you would not need the access-list 102 deny icmp any any (may as well block all other icmp) or access-list 102 deny icmp any any (may as well block all other icmp) because the implicit deny at the end should take care of dropping the unwanted protocols. Please correct me if I am wrong. What about udp and tcp protocols? The implicit deny would drop all protocols at the end. Scott -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 3:56 PM To: [EMAIL PROTECTED] Subject: Re: ACL Gurus [7:27361] My view/guestimation only here, so anyone is welcome to pick holes in it: I would apply 101 (the outgoing access list to the ethernet port). May as well drop the rubbish before the router processes it. I would also make it: access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) access-list 101 deny icmp any any (denies all other icmp, otherwise your next line allowed everything including icmp) access-list 101 permit ip any any I would apply 102 as you have on the serial interface, with slight change. access-list 102 permit icmp any any echo-reply (presumably as you allowed echo outgoing, you want the replies) access-list 102 deny icmp any any (may as well block all other icmp) access-list 102 permit ip any any Of course this is just fictional to control icmp only. I've changed it about 4 times, so I've no doubt it could take some more changes. Regards, Gaz Matthew Tayler wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Ok I am a little confused here, but 1. What does access-list 101 actually deny ? 2. If you permit all ip are you not also allowing all tcp udp ? Matt T Jeff wrote: Looking to block icmp-echo on my external router... just want to doublecheck that I'm putting these on the right interfaces. Please, suggestions welcome! Cheers, Jeff access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo *Permits internal network to ping any host access-list 101 permit ip any any *Permits any other traffic to and from the network. Need for the explicit deny access-list 102 permit icmp host x.x.x.x any echo-reply *Permits a ping reply from ISP servers for monitoring access-list 102 permit icmp any any packet-too-big *Permits Fragmentation Required ICMP packets (Used of MTU-PD) access-list 102 deny icmp any any echo-reply deny any echo reply from any other sources access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo deny any echo from any other sources access-list 102 permit ip any any *Permits any other traffic to and from the network. Needed due to the explicit deny rule. Both Access-list are applied to the Serial Interfaces of the Edge router. Access list 102 is assigned to inbound traffic and Access li
RE: ACL Gurus [7:27361]
TCP, UDP, ICMP and any other IP protocols all require IP to perform layer 3 related functions. In fact, any application, session, transport or other layer software that is part of the TCP/IP suite uses IP for its layer 3 functions. They are all subsets of an IP packet since they are layered on top of IP in the protocol stack. All TCP, UDP and ICMP packets are also IP packets, just like all telnet packets are also TCP packets. When you say permit IP any any that includes all TCP, UDP and ICMP packets. If you want to permit/deny TCP, UDP or ICMP packets individually, you must do so explicitly and separately as the poster did in their original acl since permit IP means permit TCP, UDP, ICMP and any other upper layer protocols that use IP like EIGRP, OSPF, etc. etc.. Bottom line, the deny icmp any any is needed because otherwise all ICMP packets would be permitted by the next acl entry permit ip any any. -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott Nawalaniec Sent: Monday, November 26, 2001 4:30 PM To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] Hello, Good call on the access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. So you would not need the access-list 102 deny icmp any any (may as well block all other icmp) or access-list 102 deny icmp any any (may as well block all other icmp) because the implicit deny at the end should take care of dropping the unwanted protocols. Please correct me if I am wrong. What about udp and tcp protocols? The implicit deny would drop all protocols at the end. Scott -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 3:56 PM To: [EMAIL PROTECTED] Subject: Re: ACL Gurus [7:27361] My view/guestimation only here, so anyone is welcome to pick holes in it: I would apply 101 (the outgoing access list to the ethernet port). May as well drop the rubbish before the router processes it. I would also make it: access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) access-list 101 deny icmp any any (denies all other icmp, otherwise your next line allowed everything including icmp) access-list 101 permit ip any any I would apply 102 as you have on the serial interface, with slight change. access-list 102 permit icmp any any echo-reply (presumably as you allowed echo outgoing, you want the replies) access-list 102 deny icmp any any (may as well block all other icmp) access-list 102 permit ip any any Of course this is just fictional to control icmp only. I've changed it about 4 times, so I've no doubt it could take some more changes. Regards, Gaz Matthew Tayler wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Ok I am a little confused here, but 1. What does access-list 101 actually deny ? 2. If you permit all ip are you not also allowing all tcp udp ? Matt T Jeff wrote: Looking to block icmp-echo on my external router... just want to doublecheck that I'm putting these on the right interfaces. Please, suggestions welcome! Cheers, Jeff access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo *Permits internal network to ping any host access-list 101 permit ip any any *Permits any other traffic to and from the network. Need for the explicit deny access-list 102 permit icmp host x.x.x.x any echo-reply *Permits a ping reply from ISP servers for monitoring access-list 102 permit icmp any any packet-too-big *Permits Fragmentation Required ICMP packets (Used of MTU-PD) access-list 102 deny icmp any any echo-reply deny any echo reply from any other sources access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo deny any echo from any other sources access-list 102 permit ip any any *Permits any other traffic to and from the network. Needed due to the explicit deny rule. Both Access-list are applied to the Serial Interfaces of the Edge router. Access list 102 is assigned to inbound traffic and Access list 101 is assigned to outbound traffic. See below.. Internet (same ISP, different BGP peers) S0/0 S0/1 \ / \/ \ / Edge Router | E0/0 | FW | LAN x.x.54.0 and x.x.55.0 networks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27422t=27361 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.htm