Solved: ICMP Echo -> A Telnet Dependency?

aaronsj · ‎11-01-2006

During preliminary testing of an ACL I intend to implement on a small-scale business network, I added the statement:

"deny icmp host 192.168.3.51 host 192.168.1.1 echo" and found that it did indeed kill my echos, but I also found that my Telnet session fell too. I am fairly new to the security realm but maybe someone could fill me in on if Telnet needs ICMP Echo to function. I did research Telnet and there is some information on an "echo" but I'm thinking it's part of the Telnet protocol and not the ICMP Echo that I am referring to. Any help would be great!

Richard Burts · ‎11-01-2006

Aaron

Telnet runs over the TCP protocol and denying icmp echo will not directly stop telnet. Did you demonstrate that telnet between the two hosts worked before you changed the access list? And with the access list denying icmp echo and telnet does not work have you tested to find whether removing the deny icmp echo allows telnet to work again?

Is it possible that the deny icmp echo is the only statement in the access list? If so then what needs to be clear is that access-group is used on an interface to apply an access list but there are no statements in the access list then traffic is permitted. But as soon as there is any statement in the access list then there is an implicit deny at the bottom of the access list. So if the access list were empty the telnet would work but when you add the deny for icmp echo then the implicit deny would deny the telnet.

If none of the suggestions I have made resolve you issue then I believe that we need some additional information. Can you post the access list that you are using? And some information about the topology of your network?

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎11-01-2006

Aaron

Telnet runs over the TCP protocol and denying icmp echo will not directly stop telnet. Did you demonstrate that telnet between the two hosts worked before you changed the access list? And with the access list denying icmp echo and telnet does not work have you tested to find whether removing the deny icmp echo allows telnet to work again?

Is it possible that the deny icmp echo is the only statement in the access list? If so then what needs to be clear is that access-group is used on an interface to apply an access list but there are no statements in the access list then traffic is permitted. But as soon as there is any statement in the access list then there is an implicit deny at the bottom of the access list. So if the access list were empty the telnet would work but when you add the deny for icmp echo then the implicit deny would deny the telnet.

If none of the suggestions I have made resolve you issue then I believe that we need some additional information. Can you post the access list that you are using? And some information about the topology of your network?

HTH

Rick

HTH

Rick

aaronsj · ‎11-02-2006

Rick,

Thanks for your help, I'm not quite sure what I had set up, but I started from scratch and added permit udp & tcp statements like you illustrated and it worked as expected. Thanks for your time and assistance. I'm still a bit frustrated that my 3750 is routing between VLANs even with the "no ip routing" commmand, can't quite figure that one out because I assumed that VLAN traffic would only hit the local VLAN interface, then drop off if no routing is enabled. Thanks again for answering my original question.

Aaron