In the outside-in access-list (acl_out), make sure that the following entries are present: access-list acl_out permit icmp any any time-exceeded access-list acl_out permit icmp any any unreachable access-list acl_out permit icmp any any echo access-list acl_out permit icmp any any echo-reply
I've seen the question asked hundreds of times, and since I finally found how to do it without allowing ALL icmp, I thought I'd share.
Hope it helps!
-J Keegan j keegan at ctny dot net
Not quite. By opening any any echo you have now made your network pingable from the real world. By adding unreachable you have now given the outside world the ability you see what addresses you are using. There are only 2 things needed for trace, thats the time-exceeded and echo-reply. I would recomend that you remove the other 2 for obvious security reasons.
If I want to allow ping, would below be acceptable?
access-list 111 deny icmp any any fragments access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any source-quench access-list 111 permit icmp any any time-exceeded access-list 111 deny icmp any any
If that is inbound on your outside interface, you are now wide open on ICMP, well not WIDE open, but close enough. The ONLY thing you need for you to be able to ping out is icmp echo-reply. If you want to trace out you need echo-reply and time-exceeded. Anything more and it's potentially a higher security risk than needed.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.