Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

icmp and concept of their messages (echo-reply, time-exceeded,,etc)

If we have these type of ACLs

permt icmp any any echo-reply

permt icmp any any time-exceeded

permt icmp any any port-unreachable

As we know that an echo-reply means, if I send an echo-request, I am going to expect to receive an ech-reply,,,,(i.e. an echo-reply is response (result) to an echo-request.,,,to my knowledge an echo-reply can not be initiated unless there is an echo-request,,,Am I right ? )

1- Does all other types of icmp messages relay on an echo-request as well (i.e. behave as an echo-reply ) ? or they are independent ?

2- Does an ACL statement "deny icmp any any ", deny all types of icmp messages ?

7 REPLIES

Re: icmp and concept of their messages (echo-reply, time-exceede

Hello,

A1) No, an ICMP echo reply will be triggered by an ICMP echo request only.

A2) Yes, all ICMP messages will be denied.

The other ICMP messages are triggered by other events. To give you some examples: An ICMP port unreachable will be sent in case there is a TCP or UDP packet to a port which is not listening. An ICMP TTL exceeded message will be sent, when an IP packet is dropped, because the TTL value reached 0. This is what a traceroute will use to list all the routers in the path to the destination.

A traceroute sends three IP packets with TTL=1 and list the source IP address of the ICMP TTL exceeded message. Then TTL=2 is sent and again source IP of the ICMP TTL exceeded message will be printed. Then TTL=3 and so on until the destination is reached.

Hope this helps! Please rate all posts.

Regards, Martin

Community Member

Re: icmp and concept of their messages (echo-reply, time-exceede

Suppose I have got R1 with these reflexive ACL

R1:

ip access-list extended FILTER-IN

permit icmp 10.0.0.0 0.0.0.255 any reflect GOODGUYS

permit ip any any

ip access-list extended FILTER-OUT

deny udp any any eq snmp

permit icmp any any time-exceeded

permit icmp any any port-unreachable

evaluate GOODGUYS

deny icmp any any

permit ip any any

!

interface Ethernet0/1

ip access-group FILTER-IN in

ip access-group FILTER-OUT out

FILTER-IN list monitors packet data as it is sent into the E0/1 interface. The data is captured and put into a temporary list called GOODGUYS.

The FILTER-OUT list looks at the data stored in GOODGUYS and monitor TCP/IP traffic being delivered out the E0/1 interface.

Any TCP/IP traffic that originated from the 10.0.0.0 network is allowed to come back into the network.

1- Does the traffic will be filtered only on base of icmp protocol ?

2- How does the reflaxive ACL check the originate of packet ? does it compare the destination ip address of a returned packet with the source ip address of a dispatched packet ?

3- What will the case be if I replaced the "permit icmp 10.0.0.0 0.0.0.255 any reflect GOODGUYS" with "permit ip (instead of icmp) 10.0.0.0 0.0.0.255 any reflect GOODGUYS" ? Am I going to include permission of an icmp packet as well?

Community Member

Re: icmp and concept of their messages (echo-reply, time-exceede

Recall

((If we have these type of ACLs

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any port-unreachable ))

As we know by default any thing after will be denied.

Won't the ACL "permit icmp any any echo-request" still be permitted implicitly ?,,,,,the reason for this conclusion is that echo-reply relys on echo-request.

Community Member

Re: icmp and concept of their messages (echo-reply, time-exceede

But if I have the below scenario :

permit icmp any any echo (echo-request),,,previous scenario was echo-reply

permit icmp any any time-exceeded

permit icmp any any port-unreachable

Then in this case echo-reply is denied by default, because echo-request does not rely on echo-reply,,,,Am I right ?

Purple

Re: icmp and concept of their messages (echo-reply, time-exceede

No, echo-requests will be denied. Remember that the two messages travel in opposite directions. So this ACL will permit the reply, not a request.

Hope that helps - pls rate the post if it does.

Paresh

Community Member

Re: icmp and concept of their messages (echo-reply, time-exceede

((No, echo-requests will be denied. ))

1- Yes you are right,,,echo-request will be permitted to leave a router (say RA) to its final destination (outbound traffic),,,then as result RA will expect echo-reply (which is response to echo-request) from final destination to enter the interface of RA (inbound traffic)

2- In this scenario is it mandotary to apply ACL as inbound (not outbound),,,,because I am expecting to receive (try to enter an interface of a router) the echo-reply

Purple

Re: icmp and concept of their messages (echo-reply, time-exceede

That is correct. The ACL is inbound because the reply is being *received* through that interface.

Hope that helps - pls rate the post if it does.

Paresh

1657
Views
5
Helpful
7
Replies
CreatePlease to create content