Quick help with access-list to only allow ICMP

Unanswered Question
Sep 10th, 2008
User Badges:

The inside network is 10.66.70.0/24


I need to apply an access-l to the inside interface to allow the hosts on this internal network to only access servers on port tcp 9890.


These servers reside on destination network 192.168.90.0/24


Also, my second requirement is to only allow these internal network to ping the destination network.


How do I create such access-lists? I know it has to be simple for you guys, so please excuse the basics.


thanks in advanced

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
robertson.michael Wed, 09/10/2008 - 10:32
User Badges:
  • Silver, 250 points or more

Hi Angel,


The statements you want will look something like this:


access-list inside-access-out permit tcp 10.66.70.0 255.255.255.0 192.168.90.0 255.255.255.0 eq 9890

access-list inside-access-out permit icmp 10.66.70.0 255.255.255.0 192.168.90.0 255.255.255.0 echo-request

access-group inside-access-out in interface inside


With these commands, only TCP/9890 and ping traffic will be allowed from your internal hosts to the servers. All other traffic will be denied.


For the ICMP portion of your requirements, you will also need to either enable ICMP inspection, or allow echo replies on an access-list applied to the interface that the 192.168.90.0/24 resides off of.


Hope that helps.


-Mike

insccisco Wed, 09/10/2008 - 10:48
User Badges:

My apologies for not specifying the platform but I have a router. I believe these statements are for a PIX.


I just tried applying them anyways but they are different, for example, the PIX is not taking the subnet mask in that format, I think it wants wild cards.


Also, I checked the commands for the echo-request portion and nothing found.


So the IOS is different than the PIX.


please help

acomiskey Wed, 09/10/2008 - 10:53
User Badges:
  • Green, 3000 points or more

access-list 100 permit tcp 10.66.70.0 0.0.0.255 192.168.90.0 0.0.0.255 eq 9890

access-list 100 permit icmp 10.66.70.0 0.0.0.255 192.168.90.0 0.0.0.255 echo


interface

ip access-group 100 in


insccisco Wed, 09/10/2008 - 11:00
User Badges:

great. thanks for the help guys.


I just applied these 2 statements and no luck.


As soon as I take it out, ping works.


I also added a 3rd line, access-list 100 permit icmp 10.66.70.0 0.0.0.255 192.168.90.0 0.0.0.255 echo-reply and no luck either.

insccisco Wed, 09/10/2008 - 11:05
User Badges:

can anyone please help?


once again, the ping does not work every time I apply the access list to the inside interface

acomiskey Wed, 09/10/2008 - 11:11
User Badges:
  • Green, 3000 points or more

Is this applied to the right interface. Could we see more of your config? Is there an access list on the outside interface that would be blocking the echo-reply?

Actions

This Discussion