Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

allow icmp echo requests?

should we or should we not allow ICMP echo requests to hit our corporate VPN concentrators and why?

2 REPLIES
New Member

Re: allow icmp echo requests?

I would not recommend leaving ICMP Echo wide open on your concentrators. Echo is still used in DoS attacks.

However, if some of your connections are using Static IPs that don't change. I would recommed building ACLs to permit these host to use tools like Echo, Echo-Reply, TTL, TTL-exceeded. This gives you troubleshooting abilities when the connections aren't working.

For your DHCP assigned clients this approach isn't going to work. However, you may consider using another isolated non-production box that they can traceroute or ping to just to test their network connectivity to the office.

Hope this helps.

Happy Routing,

Ron

Anonymous
N/A

Re: allow icmp echo requests?

Ron,

Thanks for your response. I like your idea of using another address to test network connectivity from our clients back to corporate. Since we advertise our own class B network to the Internet, I guess I could create a loopback address on our external routers & use that to test network connectivity from our clients?

-Mike

162
Views
0
Helpful
2
Replies
CreatePlease to create content