ICMP access list

You're correct.

I agree.

However, if you apply this access-list to an interface, and I don't know of any other way to block ICMP with an access-list, you will also block all other IP traffic.

Maybe you want:-

access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo reply access-list 101 deny icmp any any access-list 101 permit ip any any

Good luck - don't cut yourself off from remote equipment. reload in 10 ! is your friend

Thanks guys...

I was thinking that with;

access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo reply

there is an implicit deny at the end of the list. Therefore, to permit IP traffic, I'd have to add

access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo reply access-list 101 permit ip any any

However, will this last line then go ahead and allow other ICMP traffic (such as host-unreachable) anyway, or are these only allowed through with the 'permit icmp any any' command? i.e, does ICMP fall under IP when conffiguring these lists?

I don't have access to the box at the moment, so can't test this out.

Thanks.

I'm no expert here but I believe you'll need the "access-list 101 deny icmp any any" line after the ICMP allow lines (as Bod43 mentioned) to override the "access-list 101 permit ip any any" rule that would otherwise allow everything (I think ICMP is encapsulated in IP so to allow all IP without the ICMP deny rule would allow all ICMP types).

In my own config for ICMP I have (102=outbound rules):

! permit access-list 102 permit icmp any any 0 access-list 102 permit icmp any any 3 4 access-list 102 permit icmp any any 4 access-list 102 permit icmp any any 8 access-list 102 permit icmp any any 11 ! deny access-list 102 deny icmp any any ! permit access-list 102 permit ip any any

hth.

messagenews: snipped-for-privacy@e3g2000cwe.googlegroups.com...

Thanks, do you have this ACL working on an actual device at the moment?

I sure do.