Cisco IOS Access List Help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Doug Vitale

Thread Starter
Joined
Jan 27, 2005
Messages
148
Would any Cisco experts be able to lend a hand with the following ACL requirements that I need to implement on a Cisco router at work?

  1. Block all inbound ICMP messages with the exception of Echo Reply (type 0), and Time Exceeded (type 11). ICMP message number 3, code 4, are permitted inbound with the following exception: Must be denied from external access gateway (AG) addresses, otherwise permitted.

  2. Also block outbound ICMP traffic message types except Echo Request (type 8), Parameter Problem (type 12), and Source Quench (type 4) Destination Unreachable - Fragmentation Needed and Don't Fragment was Set (type3, code 4).

  3. Also block all inbound traceroutes to prevent network discovery by unauthorized users.

Thanks for any help!
 
Joined
Aug 26, 2005
Messages
894
Assuming this is a router. Also, "blocking traceroute" is very ambiguous. It's close enough, a better way would be some reflexive ACL's, but this is assuming you're running 12.0x.

int x/x
ip access-group foo1 inbound
ip access-group foo2 outbound
!
ip access-list extended foo1
permit icmp any any echo reply
permit icmp any any time exceeded
deny icmp host x.x.x.x host y.y.y.y Destination Unreachable
deny icmp host x.x.x.x host y.y.y.y Source Quench
permit icmp any any Unreachable
permit icmp any any Source Quench
deny icmp any any log-input
permit ip any any
!
ip access-list extended foo2
permit icmp any any Echo Request
permit icmp any any Parameter Problem
permit icmp any any Source Quench
permit icmp any any Unreachable
deny icmp any any log-input
permit ip any any
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top