Solved: ICMP from certain Networks

jstabl · ‎10-08-2008

Hello all. I have the following requirements:

Internal network includes

10.1.1.x/24

10.1.2.x/24

10.1.3.x/24

10.1.4.x/24

I want to allow only the 10.1.1.x network to do ICMP ping and traceroute to the outside networks such as yahoo etc..

Here is part of my config

object-group icmp-type icmp-outside-in

icmp-object echo-reply

icmp-object time-exceeded

icmp-object unreachable

access-list outside_access_in extended deny ip 0.0.0.0 255.0.0.0 any

access-list outside_access_in extended deny ip 10.0.0.0 255.0.0.0 any

access-list outside_access_in extended deny ip 127.0.0.0 255.0.0.0 any

access-list outside_access_in extended deny ip 172.16.0.0 255.240.0.0 any

access-list outside_access_in extended deny ip 192.168.0.0 255.255.0.0 any

access-list outside_access_in extended deny ip 224.0.0.0 224.0.0.0 any

access-list outside_access_in extended deny ip host FTP_Block any

access-list outside_access_in extended permit tcp any host xx.xx.157.198 object-group Notes

access-list outside_access_in extended permit tcp any host xx.xx.157.199 eq smtp

access-list outside_access_in extended permit tcp any host xx.xx.157.200 object-group FTP

access-list outside_access_in extended permit icmp any host xx.xx.157.200

access-list outside_access_in extended permit tcp any object-group Production_Websites_ref object-group Web

access-list outside_access_in extended permit tcp any host xx.xx.157.217 eq ssh

access-list outside_access_in extended permit tcp any host xx.xx.157.216 object-group Notes

access-list outside_access_in extended permit icmp any xx.xx.157.192 255.255.255.224 object-group icmp-outside-in

access-list outside_access_in extended deny icmp any xx.xx.157.192 255.255.255.224

access-list outside_access_in extended deny ip any any

access-list dmz_access_in extended permit tcp 10.1.4.0 255.255.255.0 host 10.1.4.21

access-list dmz_access_in extended permit udp 10.1.4.0 255.255.255.0 host 10.1.4.21 eq domain

access-list dmz_access_in extended permit tcp 10.1.4.0 255.255.255.0 host 10.1.4.25

access-list dmz_access_in extended permit udp 10.1.4.0 255.255.255.0 host 10.1.4.25 eq domain

access-list dmz_access_in extended permit ip 10.1.4.0 255.255.255.0 any

access-list dmz_access_in extended permit tcp any host 10.1.4.24

access-list dmz_access_in extended permit udp any host 10.1.4.24

access-list dmz_access_in extended permit icmp any host 10.1.4.24

access-list dmz_access_in extended permit ip 10.1.4.0 255.255.255.0 host 10.1.4.32

access-list dmz_access_in extended permit tcp any host 10.1.4.26 object-group Notes

access-list dmz_access_in extended permit icmp 10.1.4.0 255.255.255.0 host 10.1.4.31

access-list dmz_access_in extended permit tcp any host 10.1.4.25 eq ldap

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended permit tcp any any

Marwan ALshawi · ‎10-08-2008

what i suggest u is to have a look at the following link which will be helpful for ur case:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

good luck

if helpful Rate

View solution in original post

Marwan ALshawi · ‎10-08-2008

what i suggest u is to have a look at the following link which will be helpful for ur case:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

good luck

if helpful Rate

jstabl · ‎10-09-2008

Thank you. I added this ACE and i can ping out from all internal networks.

access-list outside_access_in extended permit icmp any xx.xx.157.192 255.255.255.224 object-group icmp-outside-in

So I think if I want to block other networks accept 10.1.1.0/24 I need another ACE on the inside.

Right now I have this on the inside.

access-list inside_access_in extended permit icmp any any

think it needs to change to

access-list inside_access_in extended permit icmp 10.1.1.0 255.255.255.0 any

Marwan ALshawi · ‎10-09-2008

the last one will allow icmp as stated in the ACL and deny anythig else !!!

please, rate the helpful post