Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4142
Views
5
Helpful
7
Replies

icmp and concept of their messages (echo-reply, time-exceeded,,etc)

zillah2004
Level 1
Level 1

‎01-31-2006 11:13 AM - edited ‎03-03-2019 01:38 AM

If we have these type of ACLs

permt icmp any any echo-reply

permt icmp any any time-exceeded

permt icmp any any port-unreachable

As we know that an echo-reply means, if I send an echo-request, I am going to expect to receive an ech-reply,,,,(i.e. an echo-reply is response (result) to an echo-request.,,,to my knowledge an echo-reply can not be initiated unless there is an echo-request,,,Am I right ? )

1- Does all other types of icmp messages relay on an echo-request as well (i.e. behave as an echo-reply ) ? or they are independent ?

2- Does an ACL statement "deny icmp any any ", deny all types of icmp messages ?

Labels:
0 Helpful
7 Replies 7

mheusinger
Level 10
Level 10

‎01-31-2006 11:37 AM

Hello,

A1) No, an ICMP echo reply will be triggered by an ICMP echo request only.

A2) Yes, all ICMP messages will be denied.

The other ICMP messages are triggered by other events. To give you some examples: An ICMP port unreachable will be sent in case there is a TCP or UDP packet to a port which is not listening. An ICMP TTL exceeded message will be sent, when an IP packet is dropped, because the TTL value reached 0. This is what a traceroute will use to list all the routers in the path to the destination.

A traceroute sends three IP packets with TTL=1 and list the source IP address of the ICMP TTL exceeded message. Then TTL=2 is sent and again source IP of the ICMP TTL exceeded message will be printed. Then TTL=3 and so on until the destination is reached.

Hope this helps! Please rate all posts.

Regards, Martin

zillah2004
Level 1
Level 1
In response to mheusinger

‎02-01-2006 12:12 AM

Suppose I have got R1 with these reflexive ACL

R1:

ip access-list extended FILTER-IN

permit icmp 10.0.0.0 0.0.0.255 any reflect GOODGUYS

permit ip any any

ip access-list extended FILTER-OUT

deny udp any any eq snmp

permit icmp any any time-exceeded

permit icmp any any port-unreachable

evaluate GOODGUYS

deny icmp any any

permit ip any any

!

interface Ethernet0/1

ip access-group FILTER-IN in

ip access-group FILTER-OUT out

FILTER-IN list monitors packet data as it is sent into the E0/1 interface. The data is captured and put into a temporary list called GOODGUYS.

The FILTER-OUT list looks at the data stored in GOODGUYS and monitor TCP/IP traffic being delivered out the E0/1 interface.

Any TCP/IP traffic that originated from the 10.0.0.0 network is allowed to come back into the network.

1- Does the traffic will be filtered only on base of icmp protocol ?

2- How does the reflaxive ACL check the originate of packet ? does it compare the destination ip address of a returned packet with the source ip address of a dispatched packet ?

3- What will the case be if I replaced the "permit icmp 10.0.0.0 0.0.0.255 any reflect GOODGUYS" with "permit ip (instead of icmp) 10.0.0.0 0.0.0.255 any reflect GOODGUYS" ? Am I going to include permission of an icmp packet as well?

0 Helpful

zillah2004
Level 1
Level 1
In response to zillah2004

‎02-01-2006 11:37 PM

Recall

((If we have these type of ACLs

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any port-unreachable ))

As we know by default any thing after will be denied.

Won't the ACL "permit icmp any any echo-request" still be permitted implicitly ?,,,,,the reason for this conclusion is that echo-reply relys on echo-request.

0 Helpful

zillah2004
Level 1
Level 1
In response to zillah2004

‎02-02-2006 12:11 AM

But if I have the below scenario :

permit icmp any any echo (echo-request),,,previous scenario was echo-reply

permit icmp any any time-exceeded

permit icmp any any port-unreachable

Then in this case echo-reply is denied by default, because echo-request does not rely on echo-reply,,,,Am I right ?

0 Helpful

pkhatri
Level 11
Level 11
In response to zillah2004

‎02-02-2006 12:13 AM

No, echo-requests will be denied. Remember that the two messages travel in opposite directions. So this ACL will permit the reply, not a request.

Hope that helps - pls rate the post if it does.

Paresh

0 Helpful

zillah2004
Level 1
Level 1
In response to pkhatri

‎02-02-2006 01:14 AM

((No, echo-requests will be denied. ))

1- Yes you are right,,,echo-request will be permitted to leave a router (say RA) to its final destination (outbound traffic),,,then as result RA will expect echo-reply (which is response to echo-request) from final destination to enter the interface of RA (inbound traffic)

2- In this scenario is it mandotary to apply ACL as inbound (not outbound),,,,because I am expecting to receive (try to enter an interface of a router) the echo-reply

0 Helpful

pkhatri
Level 11
Level 11
In response to zillah2004

‎02-02-2006 01:17 AM

That is correct. The ACL is inbound because the reply is being *received* through that interface.

Hope that helps - pls rate the post if it does.

Paresh

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card