RE: ACL Gurus [7:27361]
Ok I am a little confused here, but 1. What does access-list 101 actually deny ? 2. If you permit all ip are you not also allowing all tcp & udp ? Matt T Jeff wrote: > > Looking to block icmp-echo on my external router... just want > to doublecheck > that I'm putting these on the right interfaces. Please, > suggestions welcome! > > Cheers, > Jeff > access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo > > access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo > > *Permits internal network to ping any host > > access-list 101 permit ip any any > > *Permits any other traffic to and from the network. Need for > the explicit > deny > > > > access-list 102 permit icmp host x.x.x.x any echo-reply > > *Permits a ping reply from ISP servers for monitoring > > access-list 102 permit icmp any any packet-too-big > > *Permits Fragmentation Required ICMP packets (Used of MTU-PD) > > access-list 102 deny icmp any any echo-reply > > deny any echo reply from any other sources > > > > access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo > > access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo > > deny any echo from any other sources > > access-list 102 permit ip any any > > *Permits any other traffic to and from the network. Needed due > to the > explicit deny rule. > > > > Both Access-list are applied to the Serial Interfaces of the > Edge router. > Access list 102 is assigned to inbound traffic and Access list > 101 is > assigned to outbound traffic. See below.. > > > > Internet (same ISP, different BGP peers) > > > > S0/0 S0/1 > >\ / > > \/ > > \ / > > Edge Router > > | > >E0/0 > > | > >FW > > | > >LAN > > x.x.54.0 and x.x.55.0 networks > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27392&t=27361 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ACL Gurus [7:27361]
My view/guestimation only here, so anyone is welcome to pick holes in it: I would apply 101 (the outgoing access list to the ethernet port). May as well drop the rubbish before the router processes it. I would also make it: access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) access-list 101 deny icmp any any (denies all other icmp, otherwise your next line allowed everything including icmp) access-list 101 permit ip any any I would apply 102 as you have on the serial interface, with slight change. access-list 102 permit icmp any any echo-reply (presumably as you allowed echo outgoing, you want the replies) access-list 102 deny icmp any any (may as well block all other icmp) access-list 102 permit ip any any Of course this is just fictional to control icmp only. I've changed it about 4 times, so I've no doubt it could take some more changes. Regards, Gaz ""Matthew Tayler"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Ok I am a little confused here, but > > 1. What does access-list 101 actually deny ? > 2. If you permit all ip are you not also allowing all tcp & udp ? > > Matt T > Jeff wrote: > > > > Looking to block icmp-echo on my external router... just want > > to doublecheck > > that I'm putting these on the right interfaces. Please, > > suggestions welcome! > > > > Cheers, > > Jeff > > access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo > > > > access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo > > > > *Permits internal network to ping any host > > > > access-list 101 permit ip any any > > > > *Permits any other traffic to and from the network. Need for > > the explicit > > deny > > > > > > > > access-list 102 permit icmp host x.x.x.x any echo-reply > > > > *Permits a ping reply from ISP servers for monitoring > > > > access-list 102 permit icmp any any packet-too-big > > > > *Permits Fragmentation Required ICMP packets (Used of MTU-PD) > > > > access-list 102 deny icmp any any echo-reply > > > > deny any echo reply from any other sources > > > > > > > > access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo > > > > access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo > > > > deny any echo from any other sources > > > > access-list 102 permit ip any any > > > > *Permits any other traffic to and from the network. Needed due > > to the > > explicit deny rule. > > > > > > > > Both Access-list are applied to the Serial Interfaces of the > > Edge router. > > Access list 102 is assigned to inbound traffic and Access list > > 101 is > > assigned to outbound traffic. See below.. > > > > > > > > Internet (same ISP, different BGP peers) > > > > > > > > S0/0 S0/1 > > > >\ / > > > > \/ > > > > \ / > > > > Edge Router > > > > | > > > >E0/0 > > > > | > > > >FW > > > > | > > > >LAN > > > > x.x.54.0 and x.x.55.0 networks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27396&t=27361 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ACL Gurus [7:27361]
Hello, Good call on the "access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines)" My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. So you would not need the "access-list 102 deny icmp any any (may as well block all other icmp)" or "access-list 102 deny icmp any any (may as well block all other icmp)" because the implicit deny at the end should take care of dropping the unwanted protocols. Please correct me if I am wrong. What about udp and tcp protocols? The implicit deny would drop all protocols at the end. Scott -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 3:56 PM To: [EMAIL PROTECTED] Subject: Re: ACL Gurus [7:27361] My view/guestimation only here, so anyone is welcome to pick holes in it: I would apply 101 (the outgoing access list to the ethernet port). May as well drop the rubbish before the router processes it. I would also make it: access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) access-list 101 deny icmp any any (denies all other icmp, otherwise your next line allowed everything including icmp) access-list 101 permit ip any any I would apply 102 as you have on the serial interface, with slight change. access-list 102 permit icmp any any echo-reply (presumably as you allowed echo outgoing, you want the replies) access-list 102 deny icmp any any (may as well block all other icmp) access-list 102 permit ip any any Of course this is just fictional to control icmp only. I've changed it about 4 times, so I've no doubt it could take some more changes. Regards, Gaz ""Matthew Tayler"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Ok I am a little confused here, but > > 1. What does access-list 101 actually deny ? > 2. If you permit all ip are you not also allowing all tcp & udp ? > > Matt T > Jeff wrote: > > > > Looking to block icmp-echo on my external router... just want > > to doublecheck > > that I'm putting these on the right interfaces. Please, > > suggestions welcome! > > > > Cheers, > > Jeff > > access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo > > > > access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo > > > > *Permits internal network to ping any host > > > > access-list 101 permit ip any any > > > > *Permits any other traffic to and from the network. Need for > > the explicit > > deny > > > > > > > > access-list 102 permit icmp host x.x.x.x any echo-reply > > > > *Permits a ping reply from ISP servers for monitoring > > > > access-list 102 permit icmp any any packet-too-big > > > > *Permits Fragmentation Required ICMP packets (Used of MTU-PD) > > > > access-list 102 deny icmp any any echo-reply > > > > deny any echo reply from any other sources > > > > > > > > access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo > > > > access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo > > > > deny any echo from any other sources > > > > access-list 102 permit ip any any > > > > *Permits any other traffic to and from the network. Needed due > > to the > > explicit deny rule. > > > > > > > > Both Access-list are applied to the Serial Interfaces of the > > Edge router. > > Access list 102 is assigned to inbound traffic and Access list > > 101 is > > assigned to outbound traffic. See below.. > > > > > > > > Internet (same ISP, different BGP peers) > > > > > > > > S0/0 S0/1 > > > >\ / > > > > \/ > > > > \ / > > > > Edge Router > > > > | > > > >E0/0 > > > > | > > > >FW > > > > | > > > >LAN > > > > x.x.54.0 and x.x.55.0 networks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27404&t=27361 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ACL Gurus [7:27361]
"My understanding is ICMP is not a subset of IP or anything with IP
protocol.
ICMP and IP both work at the network layer and are separate protocols."
Bzzt. You are the weakest link. Goodbye ;-)
ICMP is IP protocol 1 (TCP is 6, UDP is 17). ICMP stands for Internet
Control Message Protocol, which is a bit of a hint that it might be related
to IP (although hardly strong evidence). According to TCP/IP Illustrated
(Stevens); "ICMP is often considered part of the IP layer", so you're
correct there, but "ICMP messages are transmitted within IP datagrams", so
your "permit ip any any" will permit ICMP.
And anyway, I use "permit ip any any" to define interesting traffic on some
dialup links, and I can bring up the links with a well-directed ping. So I
know IP includes ICMP ;-)
JMcL
- Forwarded by Jenny Mcleod/NSO/CSDA on 27/11/2001 02:09 pm -
"Scott
Nawalaniec" To:
[EMAIL PROTECTED]
Subject: RE: ACL Gurus
[7:27361]
Sent
by:
nobody@groups
tudy.com
27/11/2001
11:29
am
Please
respond
to
"Scott
Nawalaniec"
Hello,
Good call on the "access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo
(equivalent to your
two lines)"
My understanding is ICMP is not a subset of IP or anything with IP
protocol.
ICMP and IP both work at the network layer and are separate protocols. So
you would not need the "access-list 102 deny icmp any any (may as well
block all other icmp)" or "access-list 102 deny icmp any any (may as well
block all other icmp)" because the implicit deny at the end should take
care
of dropping the unwanted protocols. Please correct me if I am wrong.
What about udp and tcp protocols? The implicit deny would drop all
protocols
at the end.
Scott
-Original Message-
From: Gaz [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 26, 2001 3:56 PM
To: [EMAIL PROTECTED]
Subject: Re: ACL Gurus [7:27361]
My view/guestimation only here, so anyone is welcome to pick holes in it:
I would apply 101 (the outgoing access list to the ethernet port). May as
well drop the rubbish before the router processes it.
I would also make it:
access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to
your
two lines)
access-list 101 deny icmp any any (denies all other icmp, otherwise your
next line allowed everything including icmp)
access-list 101 permit ip any any
I would apply 102 as you have on the serial interface, with slight change.
access-list 102 permit icmp any any echo-reply (presumably as you allowed
echo outgoing, you want the replies)
access-list 102 deny icmp any any (may as well block all other icmp)
access-list 102 permit ip any any
Of course this is just fictional to control icmp only.
I've changed it about 4 times, so I've no doubt it could take some more
changes.
Regards,
Gaz
""Matthew Tayler"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Ok I am a little confused here, but
>
> 1. What does access-list 101 actually deny ?
> 2. If you permit all ip are you not also allowing all tcp & udp ?
>
> Matt T
> Jeff wrote:
> >
> > Looking to block icmp-echo on my external router... just want
> > to doublecheck
> > that I'm putting these on the right interfaces. Please,
> > suggestions welcome!
> >
> > Cheers,
> > Jeff
> > access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo
> >
> > access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo
> >
> > *Permits internal network to ping any host
> >
> > access-list 101 permit ip any any
> >
> > *Permits any other traffic to and from the network. Need for
> > the explicit
> > deny
> >
> >
> >
> > access-list 102 permit icmp host x.x.x.x any echo-reply
> >
> > *Permits a ping reply from ISP servers for monitoring
> >
> > access-list 102 permit icmp any any packet-too-big
> >
> > *Permits Fragmentation Required ICMP packets (Used of MTU-PD)
> >
> > access-list 102 deny icmp any any echo-reply
> >
> > deny any echo reply from any
RE: ACL Gurus [7:27361]
TCP, UDP, ICMP and any other IP protocols all require IP to perform layer 3 related functions. In fact, any application, session, transport or other layer software that is part of the TCP/IP suite uses IP for its layer 3 functions. They are all "subsets" of an IP packet since they are layered on top of IP in the protocol stack. All TCP, UDP and ICMP packets are also IP packets, just like all telnet packets are also TCP packets. When you say "permit IP any any" that includes all TCP, UDP and ICMP packets. If you want to permit/deny TCP, UDP or ICMP packets individually, you must do so explicitly and separately as the poster did in their original acl since "permit IP" means "permit TCP, UDP, ICMP and any other upper layer protocols that use IP like EIGRP, OSPF, etc. etc.". Bottom line, the "deny icmp any any" is needed because otherwise all ICMP packets would be permitted by the next acl entry "permit ip any any". -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott Nawalaniec Sent: Monday, November 26, 2001 4:30 PM To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] Hello, Good call on the "access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines)" My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. So you would not need the "access-list 102 deny icmp any any (may as well block all other icmp)" or "access-list 102 deny icmp any any (may as well block all other icmp)" because the implicit deny at the end should take care of dropping the unwanted protocols. Please correct me if I am wrong. What about udp and tcp protocols? The implicit deny would drop all protocols at the end. Scott -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 3:56 PM To: [EMAIL PROTECTED] Subject: Re: ACL Gurus [7:27361] My view/guestimation only here, so anyone is welcome to pick holes in it: I would apply 101 (the outgoing access list to the ethernet port). May as well drop the rubbish before the router processes it. I would also make it: access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) access-list 101 deny icmp any any (denies all other icmp, otherwise your next line allowed everything including icmp) access-list 101 permit ip any any I would apply 102 as you have on the serial interface, with slight change. access-list 102 permit icmp any any echo-reply (presumably as you allowed echo outgoing, you want the replies) access-list 102 deny icmp any any (may as well block all other icmp) access-list 102 permit ip any any Of course this is just fictional to control icmp only. I've changed it about 4 times, so I've no doubt it could take some more changes. Regards, Gaz ""Matthew Tayler"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Ok I am a little confused here, but > > 1. What does access-list 101 actually deny ? > 2. If you permit all ip are you not also allowing all tcp & udp ? > > Matt T > Jeff wrote: > > > > Looking to block icmp-echo on my external router... just want > > to doublecheck > > that I'm putting these on the right interfaces. Please, > > suggestions welcome! > > > > Cheers, > > Jeff > > access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo > > > > access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo > > > > *Permits internal network to ping any host > > > > access-list 101 permit ip any any > > > > *Permits any other traffic to and from the network. Need for > > the explicit > > deny > > > > > > > > access-list 102 permit icmp host x.x.x.x any echo-reply > > > > *Permits a ping reply from ISP servers for monitoring > > > > access-list 102 permit icmp any any packet-too-big > > > > *Permits Fragmentation Required ICMP packets (Used of MTU-PD) > > > > access-list 102 deny icmp any any echo-reply > > > > deny any echo reply from any other sources > > > > > > > > access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo > > > > access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo > > > > deny any echo from any other sources > > > > access-list 102 permit ip any any > > > > *Permits any other traffic to and from the network. Needed due > > to the > > explicit deny rule. > > > > > > > > Both Access-list are applied to the Serial Interfaces of the > > Edge router. > > Access list 102 is assigned to inbound traffic and Access list > >
RE: ACL Gurus [7:27361]
I knew that didn't sound right after I read it. Thank you for correcting me. I checked it out by using a sniffer and the ICMP packet is encapsulated with IP. Thank you. Scott -Original Message- From: Kent Hundley [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 8:28 PM To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] TCP, UDP, ICMP and any other IP protocols all require IP to perform layer 3 related functions. In fact, any application, session, transport or other layer software that is part of the TCP/IP suite uses IP for its layer 3 functions. They are all "subsets" of an IP packet since they are layered on top of IP in the protocol stack. All TCP, UDP and ICMP packets are also IP packets, just like all telnet packets are also TCP packets. When you say "permit IP any any" that includes all TCP, UDP and ICMP packets. If you want to permit/deny TCP, UDP or ICMP packets individually, you must do so explicitly and separately as the poster did in their original acl since "permit IP" means "permit TCP, UDP, ICMP and any other upper layer protocols that use IP like EIGRP, OSPF, etc. etc.". Bottom line, the "deny icmp any any" is needed because otherwise all ICMP packets would be permitted by the next acl entry "permit ip any any". -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott Nawalaniec Sent: Monday, November 26, 2001 4:30 PM To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] Hello, Good call on the "access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines)" My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. So you would not need the "access-list 102 deny icmp any any (may as well block all other icmp)" or "access-list 102 deny icmp any any (may as well block all other icmp)" because the implicit deny at the end should take care of dropping the unwanted protocols. Please correct me if I am wrong. What about udp and tcp protocols? The implicit deny would drop all protocols at the end. Scott -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 3:56 PM To: [EMAIL PROTECTED] Subject: Re: ACL Gurus [7:27361] My view/guestimation only here, so anyone is welcome to pick holes in it: I would apply 101 (the outgoing access list to the ethernet port). May as well drop the rubbish before the router processes it. I would also make it: access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) access-list 101 deny icmp any any (denies all other icmp, otherwise your next line allowed everything including icmp) access-list 101 permit ip any any I would apply 102 as you have on the serial interface, with slight change. access-list 102 permit icmp any any echo-reply (presumably as you allowed echo outgoing, you want the replies) access-list 102 deny icmp any any (may as well block all other icmp) access-list 102 permit ip any any Of course this is just fictional to control icmp only. I've changed it about 4 times, so I've no doubt it could take some more changes. Regards, Gaz ""Matthew Tayler"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Ok I am a little confused here, but > > 1. What does access-list 101 actually deny ? > 2. If you permit all ip are you not also allowing all tcp & udp ? > > Matt T > Jeff wrote: > > > > Looking to block icmp-echo on my external router... just want > > to doublecheck > > that I'm putting these on the right interfaces. Please, > > suggestions welcome! > > > > Cheers, > > Jeff > > access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo > > > > access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo > > > > *Permits internal network to ping any host > > > > access-list 101 permit ip any any > > > > *Permits any other traffic to and from the network. Need for > > the explicit > > deny > > > > > > > > access-list 102 permit icmp host x.x.x.x any echo-reply > > > > *Permits a ping reply from ISP servers for monitoring > > > > access-list 102 permit icmp any any packet-too-big > > > > *Permits Fragmentation Required ICMP packets (Used of MTU-PD) > > > > access-list 102 deny icmp any any echo-reply > > > > deny any echo reply from any other sources > > > > > > > > access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo > > > > access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo > > > > deny any echo from any other sources > > > > access-list 10
RE: ACL Gurus [7:27361]
Thanx for the info and the verification.
Scott
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Monday, November 26, 2001 7:25 PM
To: [EMAIL PROTECTED]
Subject: RE: ACL Gurus [7:27361]
"My understanding is ICMP is not a subset of IP or anything with IP
protocol.
ICMP and IP both work at the network layer and are separate protocols."
Bzzt. You are the weakest link. Goodbye ;-)
ICMP is IP protocol 1 (TCP is 6, UDP is 17). ICMP stands for Internet
Control Message Protocol, which is a bit of a hint that it might be related
to IP (although hardly strong evidence). According to TCP/IP Illustrated
(Stevens); "ICMP is often considered part of the IP layer", so you're
correct there, but "ICMP messages are transmitted within IP datagrams", so
your "permit ip any any" will permit ICMP.
And anyway, I use "permit ip any any" to define interesting traffic on some
dialup links, and I can bring up the links with a well-directed ping. So I
know IP includes ICMP ;-)
JMcL
- Forwarded by Jenny Mcleod/NSO/CSDA on 27/11/2001 02:09 pm -
"Scott
Nawalaniec" To:
[EMAIL PROTECTED]
Subject: RE: ACL Gurus
[7:27361]
Sent
by:
nobody@groups
tudy.com
27/11/2001
11:29
am
Please
respond
to
"Scott
Nawalaniec"
Hello,
Good call on the "access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo
(equivalent to your
two lines)"
My understanding is ICMP is not a subset of IP or anything with IP
protocol.
ICMP and IP both work at the network layer and are separate protocols. So
you would not need the "access-list 102 deny icmp any any (may as well
block all other icmp)" or "access-list 102 deny icmp any any (may as well
block all other icmp)" because the implicit deny at the end should take
care
of dropping the unwanted protocols. Please correct me if I am wrong.
What about udp and tcp protocols? The implicit deny would drop all
protocols
at the end.
Scott
-Original Message-
From: Gaz [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 26, 2001 3:56 PM
To: [EMAIL PROTECTED]
Subject: Re: ACL Gurus [7:27361]
My view/guestimation only here, so anyone is welcome to pick holes in it:
I would apply 101 (the outgoing access list to the ethernet port). May as
well drop the rubbish before the router processes it.
I would also make it:
access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to
your
two lines)
access-list 101 deny icmp any any (denies all other icmp, otherwise your
next line allowed everything including icmp)
access-list 101 permit ip any any
I would apply 102 as you have on the serial interface, with slight change.
access-list 102 permit icmp any any echo-reply (presumably as you allowed
echo outgoing, you want the replies)
access-list 102 deny icmp any any (may as well block all other icmp)
access-list 102 permit ip any any
Of course this is just fictional to control icmp only.
I've changed it about 4 times, so I've no doubt it could take some more
changes.
Regards,
Gaz
""Matthew Tayler"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Ok I am a little confused here, but
>
> 1. What does access-list 101 actually deny ?
> 2. If you permit all ip are you not also allowing all tcp & udp ?
>
> Matt T
> Jeff wrote:
> >
> > Looking to block icmp-echo on my external router... just want
> > to doublecheck
> > that I'm putting these on the right interfaces. Please,
> > suggestions welcome!
> >
> > Cheers,
> > Jeff
> > access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo
> >
> > access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo
> >
> > *Permits internal network to ping any host
> >
> > access-list 101 permit ip any any
> >
> > *Permits any other traffic to and from the network. Need for
> > the explicit
> > deny
> >
> >
> >
> > access-list 102 permit icmp host x.x.x.x any echo-reply
> >
> > *Permits a ping reply from ISP servers for monitoring
> >
> > access-list 102 permit icmp any any packet-too-big
> >
> > *Permits Fragmentation Required ICMP packets (Used of MTU-PD)
> >
> > access-list 102 deny icmp any any echo-reply
> >
> > deny any echo reply from any other sources
> >
> >
> >
> > access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo
> >
> > access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo
> >
> > deny any echo from
RE: ACL Gurus [7:27361]
Hi Anil, To the best of my knowledge and without looking it up at www.cisco.com, I think if you put log on the end an access-list statement it will send the log to the syslog server. I don't know if that is true in all cases. I like to keep my routers streamed lined.ie unnecessary services and buffers turned off=) OUTPUT from show log: Admin_3662#sh log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 723 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: disabled Trap logging: level debugging, 727 message lines logged Logging to X.X.X.X, 727 message lines logged HTH, Scott -Original Message- From: anil [mailto:[EMAIL PROTECTED]] Sent: Friday, December 07, 2001 12:58 PM To: Scott Nawalaniec Subject: RE: ACL Gurus [7:27361] Scott, If I add an access list with [log] at the end, can I expect to see the log by typing: "show log" At the moment I see nothing. I am trying to catch snmp traffic, using snmpwalk. port 161, 162. If I do "debug snmp packets" then I can see some logs. Many thanks -Anil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott Nawalaniec Sent: Tuesday, November 27, 2001 5:41 PM To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] Thanx for the info and the verification. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 7:25 PM To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] "My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols." Bzzt. You are the weakest link. Goodbye ;-) ICMP is IP protocol 1 (TCP is 6, UDP is 17). ICMP stands for Internet Control Message Protocol, which is a bit of a hint that it might be related to IP (although hardly strong evidence). According to TCP/IP Illustrated (Stevens); "ICMP is often considered part of the IP layer", so you're correct there, but "ICMP messages are transmitted within IP datagrams", so your "permit ip any any" will permit ICMP. And anyway, I use "permit ip any any" to define interesting traffic on some dialup links, and I can bring up the links with a well-directed ping. So I know IP includes ICMP ;-) JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 27/11/2001 02:09 pm - "Scott Nawalaniec" To: [EMAIL PROTECTED] Subject: RE: ACL Gurus [7:27361] Sent by: nobody@groups tudy.com 27/11/2001 11:29 am Please respond to "Scott Nawalaniec" Hello, Good call on the "access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines)" My understanding is ICMP is not a subset of IP or anything with IP protocol. ICMP and IP both work at the network layer and are separate protocols. So you would not need the "access-list 102 deny icmp any any (may as well block all other icmp)" or "access-list 102 deny icmp any any (may as well block all other icmp)" because the implicit deny at the end should take care of dropping the unwanted protocols. Please correct me if I am wrong. What about udp and tcp protocols? The implicit deny would drop all protocols at the end. Scott -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 3:56 PM To: [EMAIL PROTECTED] Subject: Re: ACL Gurus [7:27361] My view/guestimation only here, so anyone is welcome to pick holes in it: I would apply 101 (the outgoing access list to the ethernet port). May as well drop the rubbish before the router processes it. I would also make it: access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to your two lines) access-list 101 deny icmp any any (denies all other icmp, otherwise your next line allowed everything including icmp) access-list 101 permit ip any any I would apply 102 as you have on the serial interface, with slight change. access-list 102 permit icmp any any echo-reply (presumably as you allowed echo outgoing, you want the replies) access-list 102 deny icmp any any (may as well block all other icmp) access-list 102 permit ip any any Of course this is just fictional to control icmp only. I've changed it about 4 times, so I've no doubt it could take some more changes. Regards, Gaz ""Matthew Tayler"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Ok I am a little confused here, but > > 1. What does access-list 101 actually deny ? > 2. If you permit all ip are you not also allowing all tcp & udp ? > > Matt T > Jeff wrote: > > > > Looking to block icmp-echo on my external rou
Re: ACL Gurus [7:27361]
Try enabling the interface configuration command "ip accounting access-violations". This will log source/destination pairs which fail the access-list on the interface. ""Scott Nawalaniec"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi Anil, > > To the best of my knowledge and without looking it up at www.cisco.com, I > think if you put log on the end an access-list statement it will send the > log to the syslog server. I don't know if that is true in all cases. I like > to keep my routers streamed lined.ie unnecessary services and buffers > turned off=) > > OUTPUT from show log: > Admin_3662#sh log > Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) > Console logging: level debugging, 723 messages logged > Monitor logging: level debugging, 0 messages logged > Buffer logging: disabled > Trap logging: level debugging, 727 message lines logged > Logging to X.X.X.X, 727 message lines logged > > HTH, > > Scott > > -Original Message- > From: anil [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 07, 2001 12:58 PM > To: Scott Nawalaniec > Subject: RE: ACL Gurus [7:27361] > > > Scott, If I add an access list with [log] at the end, can I expect to see > the log by typing: > "show log" > At the moment I see nothing. > I am trying to catch snmp traffic, using snmpwalk. > port 161, 162. > > If I do "debug snmp packets" then I can see some logs. > Many thanks > -Anil > > > > > > -----Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Scott Nawalaniec > Sent: Tuesday, November 27, 2001 5:41 PM > To: [EMAIL PROTECTED] > Subject: RE: ACL Gurus [7:27361] > > > Thanx for the info and the verification. > > Scott > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] > Sent: Monday, November 26, 2001 7:25 PM > To: [EMAIL PROTECTED] > Subject: RE: ACL Gurus [7:27361] > > > "My understanding is ICMP is not a subset of IP or anything with IP > protocol. > ICMP and IP both work at the network layer and are separate protocols." > Bzzt. You are the weakest link. Goodbye ;-) > > ICMP is IP protocol 1 (TCP is 6, UDP is 17). ICMP stands for Internet > Control Message Protocol, which is a bit of a hint that it might be related > to IP (although hardly strong evidence). According to TCP/IP Illustrated > (Stevens); "ICMP is often considered part of the IP layer", so you're > correct there, but "ICMP messages are transmitted within IP datagrams", so > your "permit ip any any" will permit ICMP. > And anyway, I use "permit ip any any" to define interesting traffic on some > dialup links, and I can bring up the links with a well-directed ping. So I > know IP includes ICMP ;-) > > JMcL > - Forwarded by Jenny Mcleod/NSO/CSDA on 27/11/2001 02:09 pm - > > > > "Scott > Nawalaniec" To: > [EMAIL PROTECTED] > Subject: RE: ACL Gurus > [7:27361] > Sent > by: > > nobody@groups > > tudy.com > > > > > > 27/11/2001 > 11:29 > am > > Please > respond > to > > "Scott > > Nawalaniec" > > > > > > > > > Hello, > > Good call on the "access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo > (equivalent to your > two lines)" > > My understanding is ICMP is not a subset of IP or anything with IP > protocol. > ICMP and IP both work at the network layer and are separate protocols. So > you would not need the "access-list 102 deny icmp any any (may as well > block all other icmp)" or "access-list 102 deny icmp any any (may as well > block all other icmp)" because the implicit deny at the end should take > care > of dropping the unwanted protocols. Please correct me if I am wrong. > > What about udp and tcp protocols? The implicit deny would drop all > protocols > at the end. > > Scott > > -Original Message- > From: Gaz [mailto:[EMAIL PROTECTED]] > Sent: Monday, November 26, 2001 3:56 PM > To: [EMAIL PROTECTED] > Subject: Re: ACL Gurus [7:27361] > > > My view/guestimation only here, so anyone is welcome to pick holes in it: > > I would apply 101 (the outgoing access list to the ethernet port). May as > well drop the rubbish before the router processes it. > I would also make it: > > access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent t
