If you wanted to do this, why not write an access
lists blocking the specific hosts/subnets that you do
not want to be reachable with ICMP and permit all ICMP
after that?
Why do you want to block local ICMP anyways and allow
external? It's usually the other way around.
--- SH Wesson <[EMAIL PROTE
the secret here is an extended access-list
allowing the echo-reply into the interface
but denying the ech itself. The access-list
below is placed on the inbound of the interface
access-list 100 deny icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit ip any a
extended ip access-list
!permit outgoing 'ping' from 10.0.0.0 network
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any echo
access-list 101 deny icmp any any
!permit returning 'ping' from 10.0.0.0 network
access-list 102 permit icmp any 10.0.0.0 0.255.255.255 echo-reply
access-list 102 den
Create an extended acl that only allows icmp echo-reply's in and denies
echo-requests.
ie
access-list 110 permit icmp any any eq echo-reply
access-list 110 deny icmp any any eq echo
access-list 110 permit ip any any
I believe that the syntax is correct, but I don't have any documentation or
a r
4 matches
Mail list logo
