Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ICMP from certain Networks

Hello all. I have the following requirements:

Internal network includes

10.1.1.x/24

10.1.2.x/24

10.1.3.x/24

10.1.4.x/24

I want to allow only the 10.1.1.x network to do ICMP ping and traceroute to the outside networks such as yahoo etc..

Here is part of my config

object-group icmp-type icmp-outside-in

icmp-object echo-reply

icmp-object time-exceeded

icmp-object unreachable

access-list outside_access_in extended deny ip 0.0.0.0 255.0.0.0 any

access-list outside_access_in extended deny ip 10.0.0.0 255.0.0.0 any

access-list outside_access_in extended deny ip 127.0.0.0 255.0.0.0 any

access-list outside_access_in extended deny ip 172.16.0.0 255.240.0.0 any

access-list outside_access_in extended deny ip 192.168.0.0 255.255.0.0 any

access-list outside_access_in extended deny ip 224.0.0.0 224.0.0.0 any

access-list outside_access_in extended deny ip host FTP_Block any

access-list outside_access_in extended permit tcp any host xx.xx.157.198 object-group Notes

access-list outside_access_in extended permit tcp any host xx.xx.157.199 eq smtp

access-list outside_access_in extended permit tcp any host xx.xx.157.200 object-group FTP

access-list outside_access_in extended permit icmp any host xx.xx.157.200

access-list outside_access_in extended permit tcp any object-group Production_Websites_ref object-group Web

access-list outside_access_in extended permit tcp any host xx.xx.157.217 eq ssh

access-list outside_access_in extended permit tcp any host xx.xx.157.216 object-group Notes

access-list outside_access_in extended permit icmp any xx.xx.157.192 255.255.255.224 object-group icmp-outside-in

access-list outside_access_in extended deny icmp any xx.xx.157.192 255.255.255.224

access-list outside_access_in extended deny ip any any

access-list dmz_access_in extended permit tcp 10.1.4.0 255.255.255.0 host 10.1.4.21

access-list dmz_access_in extended permit udp 10.1.4.0 255.255.255.0 host 10.1.4.21 eq domain

access-list dmz_access_in extended permit tcp 10.1.4.0 255.255.255.0 host 10.1.4.25

access-list dmz_access_in extended permit udp 10.1.4.0 255.255.255.0 host 10.1.4.25 eq domain

access-list dmz_access_in extended permit ip 10.1.4.0 255.255.255.0 any

access-list dmz_access_in extended permit tcp any host 10.1.4.24

access-list dmz_access_in extended permit udp any host 10.1.4.24

access-list dmz_access_in extended permit icmp any host 10.1.4.24

access-list dmz_access_in extended permit ip 10.1.4.0 255.255.255.0 host 10.1.4.32

access-list dmz_access_in extended permit tcp any host 10.1.4.26 object-group Notes

access-list dmz_access_in extended permit icmp 10.1.4.0 255.255.255.0 host 10.1.4.31

access-list dmz_access_in extended permit tcp any host 10.1.4.25 eq ldap

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended permit tcp any any

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ICMP from certain Networks

what i suggest u is to have a look at the following link which will be helpful for ur case:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

good luck

if helpful Rate

3 REPLIES

Re: ICMP from certain Networks

what i suggest u is to have a look at the following link which will be helpful for ur case:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

good luck

if helpful Rate

New Member

Re: ICMP from certain Networks

Thank you. I added this ACE and i can ping out from all internal networks.

access-list outside_access_in extended permit icmp any xx.xx.157.192 255.255.255.224 object-group icmp-outside-in

So I think if I want to block other networks accept 10.1.1.0/24 I need another ACE on the inside.

Right now I have this on the inside.

access-list inside_access_in extended permit icmp any any

think it needs to change to

access-list inside_access_in extended permit icmp 10.1.1.0 255.255.255.0 any

Re: ICMP from certain Networks

the last one will allow icmp as stated in the ACL and deny anythig else !!!

please, rate the helpful post

139
Views
5
Helpful
3
Replies
CreatePlease to create content