cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3024
Views
0
Helpful
6
Replies

ICMP ACL......please advise......

Here is the ICMP ACL.....I thought i was supposed to have according the reading I did........but I am seeking advice....

I cannot ping my inside Cisco Router.......from the internet....I think I may have gone overboard here??

access-list 101 remark ---ICMP---
access-list 101 permit icmp any any parameter-problem
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any echo-reply
access-list 101 deny   icmp any any log

2 Accepted Solutions

Accepted Solutions

Hello,

you forgot one line:

access-list 101 remark ---ICMP---
access-list 101 permit icmp any any parameter-problem
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any echo


access-list 101 deny   icmp any any log

View solution in original post

6 Replies 6

Iulian Vaideanu
Level 4
Level 4

How is the ACL used?  I mean, on which interface it's applied (what the interface is for) and on which direction (input or output)...

Hi.....

This ACL is on my "outside interface-Internet".......

I was just trying to prevent any type of "flood" attacks......

I can ping out just fine....

But i cannot ping in.....

Hello,

you forgot one line:

access-list 101 remark ---ICMP---
access-list 101 permit icmp any any parameter-problem
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any echo


access-list 101 deny   icmp any any log

Thank You very much

And now that the problem is resolved, you want to remove the "source-quench" line ... ;-)

Amos Kafwembe
Level 1
Level 1

what exactly are you trying to achieve?