Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ICMP Traffic on an 877 with 8 IP addresses

Hello,

I have always wondered what is regarded the best setup for ICMP traffic with 8 IP addresses. I am using Multi-Nat on an 877W router.

Basically, what types should be allowed out and in to my network, should I allow it to just the router IP address, or the others as well, im guessing the broadcast address may be a bad idea, so far im using this setup

incoming, only to router address.

access-list 102 permit icmp any host 217.155.xxx.xxx echo

access-list 102 permit icmp any host 217.155.xxx.xxx echo-reply

access-list 102 permit icmp any host 217.155.xxx.xxx time-exceeded

access-list 102 permit icmp any host 217.155.xxx.xxx unreachable

access-list 102 permit icmp any host 217.155.xxx.xxx source-quench

access-list 102 permit icmp any host 217.155.xxx.xxx packet-too-big

access-list 102 deny icmp any any

outgoing i allow all ICMP

2 REPLIES

Re: ICMP Traffic on an 877 with 8 IP addresses

Preferred incoming ICMP from internet should be limited to echo, unreachable and time-exceeded only. Deny others.

But if you want trusted external host to be able to ping the IP(s), allow echo-reply on the specific ACL permitting the source/destination address.

HTH

AK

Gold

Re: ICMP Traffic on an 877 with 8 IP addresses

You should permit following (deny other ICMP traffic)

echo type 8 code 0 purpose--> Ping

echo-reply type 0 code 0 purpose--> Ping response

unreachable type 3 code 4 purpose--> Used by path MTU to determine the optimal MTU setting

ttl-exceeded type 11 code 0 purpose -->TTL expired in transit. Used by traceroute

M.

Hope that helps rate if it does

127
Views
5
Helpful
2
Replies