11-08-2005 02:19 PM - edited 03-03-2019 12:43 AM
I seem to have a problem with a router with a denys working with an permit ip any any next to last line in access-list.
access-list 100 deny tcp any eq 445 any
access-list 100 deny tcp any eq 137 any
access-list 100 deny tcp any eq 135 any
access-list 100 deny tcp any eq 1433 any
access-list 100 deny tcp any eq 139 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
access-list 100 permit ip any any
access-list 100 deny icmp any any echo-reply
this is applied with access-group 100 in under the serial interface.
Solved! Go to Solution.
11-08-2005 02:30 PM
Hello,
the access list stops checking when a match is found, which in your case is the 'permit ip any any' line. In order to deny icmp echo replies, configure the list as following:
access-list 100 deny tcp any eq 445 any
access-list 100 deny tcp any eq 137 any
access-list 100 deny tcp any eq 135 any
access-list 100 deny tcp any eq 1433 any
access-list 100 deny tcp any eq 139 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
access-list 100 deny icmp any any echo-reply
access-list 100 permit ip any any
HTH,
GP
11-08-2005 02:30 PM
Hello,
the access list stops checking when a match is found, which in your case is the 'permit ip any any' line. In order to deny icmp echo replies, configure the list as following:
access-list 100 deny tcp any eq 445 any
access-list 100 deny tcp any eq 137 any
access-list 100 deny tcp any eq 135 any
access-list 100 deny tcp any eq 1433 any
access-list 100 deny tcp any eq 139 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
access-list 100 deny icmp any any echo-reply
access-list 100 permit ip any any
HTH,
GP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide