Need Access List Help Please

Unanswered Question
Feb 7th, 2007

Would any Cisco experts be able to lend a hand with the following ACL requirements that I need to implement on a Cisco router at work?

1. Block all inbound ICMP messages with the exception of Echo Reply (type 0), and Time Exceeded (type 11). ICMP message number 3, code 4, are permitted inbound with the following exception: Must be denied from external access gateway (AG) addresses, otherwise permitted.

2. Also block outbound ICMP traffic message types except Echo Request (type 8), Parameter Problem (type 12), and Source Quench (type 4) Destination Unreachable - Fragmentation Needed and Don't Fragment was Set (type3, code 4).

3. Also block all inbound traceroutes to prevent network discovery by unauthorized users.

Thanks for any help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 02/08/2007 - 05:59

Hi

Couple of points.

1) ICMP based traceroute will be blocked by your inbound access-list as there is a general deny icmp any any catchall in there.

2) For this example I have allocated the address 192.168.1.1 as the external access gateway.

3) I have used any any in the access-lists. You can obviously narrow this down if you want.

4)I have included a "permit ip any any" at the end of each access-list as there is an implicit deny so all non-icmp traffic would be blocked without this.

5) Destination unreachable is actually 3 - host/network/port unreachable. I've permitted them all.

Inbound access-list

===================

ip access-list extended icmptypes_in

10 permit icmp any any echo-reply

20 permit icmp any any time-exceeded

30 deny icmp host 192.168.1.1 any packet-too-big

40 permit icmp any any packet-too-big

50 deny icmp any any

60 permit ip any any

Interface config mode:-

=======================

ip access-group icmptypes_in in

Outbound access-list

====================

ip access-list extended icmptypes_out

10 permit icmp any any echo

20 permit icmp any any parameter-problem

30 permit icmp any any source-quench

40 permit icmp any any packet-too-big

50 permit icmp any any host-unreachable

60 permit icmp any any net-unreachable

70 permit icmp any any port-unreachable

80 deny icmp any any

90 permit ip any any

interface config mode:-

=======================

ip access-group icmptypes_out out

HTH

Jon

Actions

This Discussion