Quick help with access-list to only allow ICMP

Unanswered Question
Sep 10th, 2008

The inside network is 10.66.70.0/24

I need to apply an access-l to the inside interface to allow the hosts on this internal network to only access servers on port tcp 9890.

These servers reside on destination network 192.168.90.0/24

Also, my second requirement is to only allow these internal network to ping the destination network.

How do I create such access-lists? I know it has to be simple for you guys, so please excuse the basics.

thanks in advanced

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
robertson.michael Wed, 09/10/2008 - 10:32

Hi Angel,

The statements you want will look something like this:

access-list inside-access-out permit tcp 10.66.70.0 255.255.255.0 192.168.90.0 255.255.255.0 eq 9890

access-list inside-access-out permit icmp 10.66.70.0 255.255.255.0 192.168.90.0 255.255.255.0 echo-request

access-group inside-access-out in interface inside

With these commands, only TCP/9890 and ping traffic will be allowed from your internal hosts to the servers. All other traffic will be denied.

For the ICMP portion of your requirements, you will also need to either enable ICMP inspection, or allow echo replies on an access-list applied to the interface that the 192.168.90.0/24 resides off of.

Hope that helps.

-Mike

insccisco Wed, 09/10/2008 - 10:48

My apologies for not specifying the platform but I have a router. I believe these statements are for a PIX.

I just tried applying them anyways but they are different, for example, the PIX is not taking the subnet mask in that format, I think it wants wild cards.

Also, I checked the commands for the echo-request portion and nothing found.

So the IOS is different than the PIX.

please help

acomiskey Wed, 09/10/2008 - 10:53

access-list 100 permit tcp 10.66.70.0 0.0.0.255 192.168.90.0 0.0.0.255 eq 9890

access-list 100 permit icmp 10.66.70.0 0.0.0.255 192.168.90.0 0.0.0.255 echo

interface

ip access-group 100 in

insccisco Wed, 09/10/2008 - 11:00

great. thanks for the help guys.

I just applied these 2 statements and no luck.

As soon as I take it out, ping works.

I also added a 3rd line, access-list 100 permit icmp 10.66.70.0 0.0.0.255 192.168.90.0 0.0.0.255 echo-reply and no luck either.

insccisco Wed, 09/10/2008 - 11:05

can anyone please help?

once again, the ping does not work every time I apply the access list to the inside interface

acomiskey Wed, 09/10/2008 - 11:11

Is this applied to the right interface. Could we see more of your config? Is there an access list on the outside interface that would be blocking the echo-reply?

Actions

This Discussion