Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access list clarification 2

Status
Not open for further replies.
hinesjrh

hinesjrh

MIS
Jan 4, 2005
260
US
I need to allow ICMP from my network provider (204.132.x.x) to my router (which has an internal address of 10.1.0.3) so that they can monitor circuit and router uptime. What does my accesss-list entry need to look like? I am thinking I don't want to use my internal 10.1.0.3 address, but instead the IP address that I have on the serial interface of my router (that was issued to me by my network provider 65.x.x.x).

access-list 100 permit icmp ????
 
Sort by date Sort by votes
It will be allowed already, unless this is a PIX or ASA and not a router. Post a model name and a sh run and from what to what interface you mean.

Burt
 
Upvote 0 Downvote
well if you have an access list on your Serial interface already, you will need to add

permit icmp host 204.132.x.x host 65.x.x.x echo


----------------------------------
Bill
 
Upvote 0 Downvote
This would be on a Cisco 3845 router on the serial interface. Yes, there are already inbound and outbound access lists in place. Thanks.
 
Upvote 0 Downvote
Without a sh run, no advice can be given other than what Alterac has posted. I would also add echo-reply and time-exceeded.

Burt
 
Upvote 0 Downvote
version 12.4
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
card type t3 1
logging buffered 16096 debugging
enable secret 5 $1$kH8N$MlaDqrGDDxDqonLkV/VzW0
!
no aaa new-model
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
ip cef
!
!
!
!
ip domain name nhacentral.com
ip multicast-routing
!
!
modemcap entry mt56k:MSC=&f1s0=1
!
!
!
!
controller T3 1/0
clock source line
!
class-map match-any VOICE
match ip dscp ef
class-map match-any SCAVENGER
match ip dscp cs1
class-map match-any CALL-SIGNALING
match ip dscp cs3
match ip dscp af31
!
!
policy-map WAN-EDGE
class VOICE
priority percent 33
class CALL-SIGNALING
bandwidth percent 5
class class-default
fair-queue
!
!
!
!
!
interface Tunnel2
description GRE Tunnel to Excel
bandwidth 1536
ip address 172.20.4.1 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.2.4.1
!
interface Tunnel3
description GRE Tunnel to Vanguard
bandwidth 1536
ip address 172.20.4.5 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.3.4.1
!
interface Tunnel5
description GRE Tunnel to Vanderbilt
bandwidth 1536
ip address 172.20.4.21 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.5.4.1
!
interface Tunnel6
description GRE Tunnel to Walker
bandwidth 1536
ip address 172.20.4.25 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.6.4.1
!
interface Tunnel7
description GRE Tunnel to Knapp
bandwidth 1536
ip address 172.20.4.17 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.7.4.1
!
interface Tunnel8
description GRE Tunnel to Eagle Crest
bandwidth 1536
ip address 172.20.4.29 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.8.4.1
!
interface Tunnel9
description GRE Tunnel to Timberland
bandwidth 1536
ip address 172.20.4.33 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.9.4.1
!
interface Tunnel11
description GRE Tunnel to CrossCreek
bandwidth 1536
ip address 172.20.4.37 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.11.4.1
!
interface Tunnel14
description GRE Tunnel to Endeavor
bandwidth 1536
ip address 172.20.4.41 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.14.4.1
!
interface Tunnel16
description GRE Tunnel to Paramount
bandwidth 1536
ip address 172.20.4.45 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.16.4.1
!
interface Tunnel19
description GRE Tunnel to South Arbor
bandwidth 1536
ip address 172.20.4.49 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.19.4.1
!
interface Tunnel20
description GRE Tunnel to Greensboro
bandwidth 1536
ip address 172.20.4.53 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.20.4.1
!
interface Tunnel21
description GRE Tunnel to Burton Glen
bandwidth 1536
ip address 172.20.4.57 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.21.4.1
!
interface Tunnel22
description GRE Tunnel to Chandler Woods
bandwidth 1536
ip address 172.20.4.61 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.22.4.1
!
interface Tunnel23
description GRE Tunnel to Linden
bandwidth 1536
ip address 172.20.4.65 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.23.4.1
!
interface Tunnel24
description GRE Tunnel to North Saginaw
bandwidth 1536
ip address 172.20.4.69 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.24.4.1
!
interface Tunnel25
description GRE Tunnel to Forsyth
bandwidth 1536
ip address 172.20.4.73 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.25.4.1
!
interface Tunnel26
description GRE Tunnel to Walton
bandwidth 1536
ip address 172.20.4.77 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.26.4.1
!
interface Tunnel27
description Tunnel to Windemere Park
bandwidth 1536
ip address 172.20.4.13 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.27.4.1
!
interface Tunnel36
description GRE Tunnel to Metro
bandwidth 1536
ip address 172.20.4.81 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.36.4.1
!
interface Tunnel76
description GRE Tunnel to Aspire
bandwidth 1536
ip address 172.20.4.85 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.76.4.1
!
interface Tunnel77
description GRE Tunnel to Reach
bandwidth 1536
ip address 172.20.4.9 255.255.255.252
ip pim sparse-dense-mode
tunnel source GigabitEthernet0/0
tunnel destination 10.77.4.1
!
interface GigabitEthernet0/0
ip address 10.1.0.3 255.255.252.0
ip pim sparse-dense-mode
duplex full
speed 1000
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
description Spare unused at this time$ETH-LAN$
ip address 172.31.225.249 255.255.255.252
shutdown
duplex full
speed 1000
media-type rj45
negotiation auto
!
interface Serial1/0
description Qwest PRN DS3-8010916...HFGS305975MB(SBC)...D189BT3GDRPMIESKNWDMIBTW71(US Signal)
ip address 65.x.x.x 255.255.255.252
ip access-group 104 in
ip access-group 100 out
ip nbar protocol-discovery
dsu bandwidth 44210
serial restart-delay 0
service-policy output WAN-EDGE
!
ip route 0.0.0.0 0.0.0.0 10.1.0.2
ip route 10.1.4.0 255.255.252.0 10.1.0.4
ip route 10.2.0.0 255.255.255.0 65.119.164.133
ip route 10.2.4.0 255.255.255.0 65.119.164.133
ip route 10.3.0.0 255.255.255.0 65.119.164.133
ip route 10.3.4.0 255.255.255.0 65.119.164.133
ip route 10.4.0.0 255.255.255.0 65.119.164.133
ip route 10.4.4.0 255.255.255.0 65.119.164.133
ip route 10.5.0.0 255.255.255.0 65.119.164.133
ip route 10.5.4.0 255.255.255.0 65.119.164.133
ip route 10.6.0.0 255.255.255.0 65.119.164.133
ip route 10.6.4.0 255.255.255.0 65.119.164.133
ip route 10.7.0.0 255.255.255.0 65.119.164.133
ip route 10.7.4.0 255.255.255.0 65.119.164.133
ip route 10.8.0.0 255.255.255.0 65.119.164.133
ip route 10.8.4.0 255.255.255.0 65.119.164.133
ip route 10.9.0.0 255.255.255.0 65.119.164.133
ip route 10.9.4.0 255.255.255.0 65.119.164.133
ip route 10.10.0.0 255.255.255.0 65.119.164.133
ip route 10.11.0.0 255.255.255.0 65.119.164.133
ip route 10.11.4.0 255.255.255.0 65.119.164.133
ip route 10.14.0.0 255.255.255.0 65.119.164.133
ip route 10.14.4.0 255.255.255.0 65.119.164.133
ip route 10.15.0.0 255.255.255.0 65.119.164.133
ip route 10.15.4.0 255.255.255.0 65.119.164.133
ip route 10.16.0.0 255.255.255.0 65.119.164.133
ip route 10.16.4.0 255.255.255.0 65.119.164.133
ip route 10.18.0.0 255.255.255.0 65.119.164.133
ip route 10.18.4.0 255.255.255.0 65.119.164.133
ip route 10.19.0.0 255.255.255.0 65.119.164.133
ip route 10.19.4.0 255.255.255.0 65.119.164.133
ip route 10.20.0.0 255.255.255.0 65.119.164.133
ip route 10.20.4.0 255.255.255.0 65.119.164.133
ip route 10.21.0.0 255.255.255.0 65.119.164.133
ip route 10.21.4.0 255.255.255.0 65.119.164.133
ip route 10.22.0.0 255.255.255.0 65.119.164.133
ip route 10.22.4.0 255.255.255.0 65.119.164.133
ip route 10.23.0.0 255.255.255.0 65.119.164.133
ip route 10.23.4.0 255.255.255.0 65.119.164.133
ip route 10.24.0.0 255.255.255.0 65.119.164.133
ip route 10.24.4.0 255.255.255.0 65.119.164.133
ip route 10.25.0.0 255.255.255.0 65.119.164.133
ip route 10.25.4.0 255.255.255.0 65.119.164.133
ip route 10.26.0.0 255.255.255.0 65.119.164.133
ip route 10.26.4.0 255.255.255.0 65.119.164.133
ip route 10.27.0.0 255.255.255.0 65.119.164.133
ip route 10.27.4.0 255.255.255.0 65.119.164.133
ip route 10.36.0.0 255.255.255.0 65.119.164.133
ip route 10.36.4.0 255.255.255.0 65.119.164.133
ip route 10.38.0.0 255.255.255.0 65.119.164.133
ip route 10.38.4.0 255.255.255.0 65.119.164.133
ip route 10.39.0.0 255.255.255.0 65.119.164.133
ip route 10.39.4.0 255.255.255.0 65.119.164.133
ip route 10.40.0.0 255.255.255.0 65.119.164.133
ip route 10.40.4.0 255.255.255.0 65.119.164.133
ip route 10.41.0.0 255.255.255.0 65.119.164.133
ip route 10.41.4.0 255.255.255.0 65.119.164.133
ip route 10.42.0.0 255.255.255.0 65.119.164.133
ip route 10.42.4.0 255.255.255.0 65.119.164.133
ip route 10.43.0.0 255.255.255.0 65.119.164.133
ip route 10.43.4.0 255.255.255.0 65.119.164.133
ip route 10.44.0.0 255.255.255.0 65.119.164.133
ip route 10.44.4.0 255.255.255.0 65.119.164.133
ip route 10.45.0.0 255.255.255.0 65.119.164.133
ip route 10.45.4.0 255.255.255.0 65.119.164.133
ip route 10.46.0.0 255.255.255.0 65.119.164.133
ip route 10.46.4.0 255.255.255.0 65.119.164.133
ip route 10.47.0.0 255.255.255.0 65.119.164.133
ip route 10.47.4.0 255.255.255.0 65.119.164.133
ip route 10.48.0.0 255.255.255.0 65.119.164.133
ip route 10.48.4.0 255.255.255.0 65.119.164.133
ip route 10.49.0.0 255.255.255.0 65.119.164.133
ip route 10.49.4.0 255.255.255.0 65.119.164.133
ip route 10.50.0.0 255.255.255.0 65.119.164.133
ip route 10.50.4.0 255.255.255.0 65.119.164.133
ip route 10.51.0.0 255.255.255.0 65.119.164.133
ip route 10.51.4.0 255.255.255.0 65.119.164.133
ip route 10.52.0.0 255.255.255.0 65.119.164.133
ip route 10.52.4.0 255.255.255.0 65.119.164.133
ip route 10.53.0.0 255.255.255.0 65.119.164.133
ip route 10.53.4.0 255.255.255.0 65.119.164.133
ip route 10.54.0.0 255.255.255.0 65.119.164.133
ip route 10.54.4.0 255.255.255.0 65.119.164.133
ip route 10.55.0.0 255.255.255.0 65.119.164.133
ip route 10.55.4.0 255.255.255.0 65.119.164.133
ip route 10.56.0.0 255.255.255.0 65.119.164.133
ip route 10.56.4.0 255.255.255.0 65.119.164.133
ip route 10.57.0.0 255.255.255.0 65.119.164.133
ip route 10.57.4.0 255.255.255.0 65.119.164.133
ip route 10.58.0.0 255.255.255.0 65.119.164.133
ip route 10.58.4.0 255.255.255.0 65.119.164.133
ip route 10.59.0.0 255.255.255.0 65.119.164.133
ip route 10.59.4.0 255.255.255.0 65.119.164.133
ip route 10.60.0.0 255.255.255.0 65.119.164.133
ip route 10.60.4.0 255.255.255.0 65.119.164.133
ip route 10.61.0.0 255.255.255.0 65.119.164.133
ip route 10.61.4.0 255.255.255.0 65.119.164.133
ip route 10.64.0.0 255.255.255.0 65.119.164.133
ip route 10.64.4.0 255.255.255.0 65.119.164.133
ip route 10.65.0.0 255.255.255.0 65.119.164.133
ip route 10.65.4.0 255.255.255.0 65.119.164.133
ip route 10.66.0.0 255.255.255.0 65.119.164.133
ip route 10.66.4.0 255.255.255.0 65.119.164.133
ip route 10.71.0.0 255.255.255.0 65.119.164.133
ip route 10.71.4.0 255.255.255.0 65.119.164.133
ip route 10.72.0.0 255.255.255.0 65.119.164.133
ip route 10.72.4.0 255.255.255.0 65.119.164.133
ip route 10.73.0.0 255.255.255.0 65.119.164.133
ip route 10.73.4.0 255.255.255.0 65.119.164.133
ip route 10.74.0.0 255.255.255.0 65.119.164.133
ip route 10.74.4.0 255.255.255.0 65.119.164.133
ip route 10.75.0.0 255.255.255.0 65.119.164.133
ip route 10.75.4.0 255.255.255.0 65.119.164.133
ip route 10.76.0.0 255.255.255.0 65.119.164.133
ip route 10.76.4.0 255.255.255.0 65.119.164.133
ip route 10.77.0.0 255.255.255.0 65.119.164.133
ip route 10.77.4.0 255.255.255.0 65.119.164.133
ip route 10.251.0.0 255.255.0.0 10.1.0.4
ip route 10.252.0.0 255.255.0.0 10.1.0.4
ip route 172.20.0.0 255.255.0.0 10.1.0.4
ip route 172.21.1.0 255.255.255.0 10.1.0.2
ip route 172.168.0.0 255.255.0.0 10.1.0.4
!
ip http server
no ip http secure-server
ip pim bidir-enable
!
access-list 100 permit udp any any eq 2344
access-list 100 permit udp any any eq 16962
access-list 100 permit udp any any eq 47808
access-list 100 deny udp any any eq 8998
access-list 100 deny udp any any eq tftp
access-list 100 permit tcp host 10.1.0.150 any eq 135
access-list 100 permit tcp host 10.1.0.127 any eq 135
access-list 100 permit tcp host 10.1.0.152 any eq 135
access-list 100 permit tcp host 10.1.0.154 any eq 135
access-list 100 permit tcp host 10.253.0.126 any eq 135
access-list 100 permit tcp host 10.1.0.66 any eq 135
access-list 100 permit tcp host 10.1.0.65 any eq 135
access-list 100 permit tcp host 10.1.0.156 any eq 135
access-list 100 permit tcp host 10.1.0.134 any eq 135
access-list 100 permit tcp 10.0.0.16 0.255.0.0 any eq 135
access-list 100 permit tcp host 10.1.0.120 any eq 135
access-list 100 deny tcp any any eq 135
access-list 100 permit icmp host 10.1.0.3 any
access-list 100 permit icmp host 205.171.3.169 any
access-list 100 permit icmp host 65.119.164.133 any
access-list 100 permit icmp host 10.1.0.134 any
access-list 100 permit icmp host 10.253.0.126 any
access-list 100 permit icmp host 10.1.0.150 any
access-list 100 permit icmp host 10.1.0.152 any
access-list 100 permit icmp host 10.1.0.154 any
access-list 100 permit icmp host 10.1.0.66 any
access-list 100 permit icmp host 10.1.0.65 any
access-list 100 permit icmp 10.0.0.16 0.255.0.0 any
access-list 100 permit icmp 10.0.0.17 0.255.0.0 any
access-list 100 permit icmp 10.0.0.18 0.255.0.0 any
access-list 100 permit icmp 10.0.0.19 0.255.0.0 any
access-list 100 permit icmp 10.0.0.20 0.255.0.0 any
access-list 100 permit ip any any
access-list 104 permit udp any any eq 2344
access-list 104 permit udp any any eq 16962
access-list 104 permit udp any any eq 47808
access-list 104 deny udp any any eq 8998
access-list 104 deny udp any any eq tftp
access-list 104 permit tcp any host 10.1.0.150 eq 135
access-list 104 permit tcp any host 10.1.0.152 eq 135
access-list 104 permit tcp any host 10.1.0.154 eq 135
access-list 104 permit tcp any host 10.253.0.126 eq 135
access-list 104 permit tcp any host 10.1.0.66 eq 135
access-list 104 permit tcp any host 10.1.0.65 eq 135
access-list 104 permit tcp any host 10.1.0.156 eq 135
access-list 104 permit tcp any host 10.1.0.134 eq 135
access-list 104 permit tcp any 10.0.0.16 0.255.0.0 eq 135
access-list 104 permit tcp any host 10.1.0.120 eq 135
access-list 104 deny tcp any any eq 135
access-list 104 permit icmp any host 10.1.0.134
access-list 104 permit icmp any host 10.253.0.126
access-list 104 permit icmp any host 10.1.0.150
access-list 104 permit icmp any host 10.1.0.152
access-list 104 permit icmp any host 10.1.0.154
access-list 104 permit icmp any host 10.1.0.66
access-list 104 permit icmp any host 10.1.0.65
access-list 104 permit icmp any 10.0.0.16 0.255.0.0
access-list 104 permit icmp any 10.0.0.17 0.255.0.0
access-list 104 permit icmp any 10.0.0.18 0.255.0.0
access-list 104 permit icmp any 10.0.0.19 0.255.0.0
access-list 104 permit icmp any 10.0.0.20 0.255.0.0
access-list 104 deny udp any any eq 995
access-list 104 deny udp any any eq 996
access-list 104 deny udp any any eq 997
access-list 104 deny udp any any eq 998
access-list 104 deny udp any any eq 999
access-list 104 permit ip any any
snmp-server community xxxxx RW
!
!
control-plane
!
!
!
line con 0
exec-timeout 20 0
password
login
stopbits 1
line aux 0
session-timeout 20
password
login
modem InOut
modem autoconfigure type mt56k
transport input all
transport output all
autohangup
stopbits 1
speed 38400
flowcontrol hardware
line vty 0 4
session-timeout 20
password
login
!
scheduler allocate 20000 1000
ntp clock-period 17180228
ntp server 130.126.24.53
!
end
 
Upvote 0 Downvote
in your 104 access list:

access-list 104 permit icmp any 10.0.0.20 0.255.0.0


permit icmp host 204.132.x.x host 65.x.x.x echo
permit icmp host 204.132.x.x host 65.x.x.x echo-reply
permit icmp host 204.132.x.x host 65.x.x.x time-exc


access-list 104 deny udp any any eq 995


----------------------------------
Bill
 
Upvote 0 Downvote
Thanks Bill. Can you pls explain the "echo" "echo-reply" and "time-exc" aspects of the statements?
 
Upvote 0 Downvote
each of those are subelements of the icmp protocol set.

echo is so you respond to a ping request.

echo-reply is so that you can ping out of your network

time exceeded is for you to be able to use traceroute (or be tracerouted)

----------------------------------
Bill
 
Upvote 0 Downvote
One last question (hopefully). Can I add a subnet to the acl statements? My network provider is telling me it needs to allow for /30. This is what I came up with:

access-list 104 permit icmp host 204.132.7.252 255.255.255.252 host 65.119.164.134 255.255.255.252 echo

access-list 104 permit icmp host 204.132.7.252 255.255.255.252 host 65.119.164.134 255.255.255.252 echo-reply

access-list 104 permit icmp host 204.132.7.252 255.255.255.252 host 65.119.164.134 255.255.255.252 time-exc
 
Upvote 0 Downvote
just take out the host statements and that will work

access-list 104 permit icmp 204.132.7.252 255.255.255.252 65.119.164.134 255.255.255.252 echo

access-list 104 permit icmp 204.132.7.252 255.255.255.252 65.119.164.134 255.255.255.252 echo-reply

access-list 104 permit icmp 204.132.7.252 255.255.255.252 65.119.164.134 255.255.255.252 time-exc

----------------------------------
Bill
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Pankaj88
  • Locked
  • Question
BGP Routing Clarification
Replies
0
Views
246
Pankaj88
Pankaj88
dmourghen
  • Locked
  • Question
PBR issue and Access-list
Replies
0
Views
171
dmourghen
dmourghen
CDIV
  • Locked
  • Question
Use uplink port as access port 2960 1
Replies
9
Views
637
CDIV
CDIV
CDIV
  • Locked
  • Question
How do I enable SSH access in 2960x 1
Replies
4
Views
827
iggsterman
iggsterman
mrdom
  • Locked
  • Question
RV325: Accessing LAN and WAN resources using the same hostname ...
Replies
0
Views
169
mrdom
mrdom

Part and Inventory Search

Sponsor

Back
Top