! in access-lists

[andrewalx]

Hi.
Does '!' in command like
access-list 120 deny udp any any log !
means not to reply with ICMP?

 

[sobak]

I don't believe it does, ICMP is a protocol like UDP, If you'd like to block ICMP Packets then you need to include this access list.

access-list 120 deny icmp any any log

This will block ICMP packets from your router. Of course I'm sure there are other ways but I know this will deny ICMP packets.

david e

 

[Stonefish]

The ! in the command line renders it a comment, its like a rem in some languages, or a # in most unix script languages.

Regards
Neil
Neil S. Briscoe
Senior Network Engineer
Zetnet Internet Services Ltd

 

[andrewalx]

Hi.
Thank you. I want to ban ICMP replay only for packets matching 'deny' entries in access-list, is it possible?.

 

[sobak]

I'm not sure I follow you. If you want to deny from a particular host you would edit the access-list accordingly

ie: access-list 120 deny icmp 192.168.1.1 any log

or open it up between two hosts.....

ie: access-list 120 icmp 192.168.1.1 192.168.2.1 log

of course at the end there is a implicit deny but I always place an:

access-list 120 deny ip any any log

The extended access list can be configured any way you would like. If you give me a little further information on what you want I can help you out. Give me a sample packet path from host to host.

david e

 

[andrewalx]

Hi.
I want to ban ICMP replay for incoming packets matching 'deny' entries in access-list without addtion corresponding ICMP entries in outcoming access-list.

 

[wybnormal]

I think this is what you might be looking for..

access-list 107 deny icmp any any echo log

This will deny ICMP from anyone AND surpress the echo reponse that normally go out saying it had been surpressed. There are a few options regarding the echo replies. This goes to the incoming list without any changes to the outgoing lists.

Mike S
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin