- Posts: 24
- Thank you received: 0
PIX 525 connectiviy/routing problem
- TheeGreatCornholio
- Offline
- Junior Member
Less
More
18 years 11 months ago #11951
by TheeGreatCornholio
Replied by TheeGreatCornholio on topic Re: PIX 525 connectiviy/routing problem
eeee,
No problem - glad it worked.
Chris:
Yes - I am sure that ACL's that are defined as IP will include ICMP. This is true on any Cisco ACL (PIX, IOS, etc.). Remember that ICMP is just one protocol inside of IP. TCP and UDP are the same. An access list reads like this:
access-list <name> permit/deny <IP Protocol> <source> <operator> <port> <destination> <operator> <port>
So, let's go through each of the things inside of the <>
<name> = ACL name.
<IP Protocol> = the IP protocol number, name, or IP itself as the name (which is the equivalent to ANY for this field). Our friends at IANA maintain the official list of IP protocol number assignments. www.iana.org/assignments/protocol-numbers
Common examples: ICMP = 1, TCP = 6, UDP = 17, GRE = 47, ESP = 50, etc. So, in this field, you can use most of the common protocol names, or you can choose any IP protocol number as needed. Again, specifying IP in this field means ANY/ALL IP protocol numbers.
<source> is the source IP address/subnet of the traffic inspect
<operator> is either equals, greater than, less than, or range... and affects the next field
<port> inside of each IP protocol, there are ports... 65535 of them. You can use common port names here, like http, ftp, etc. or you can specify the number. The operator and port numbers are generally not used in the source side of the ACL statements, however it is possible.
<destination> <operator> <port> - same as source, except for the destination of the traffic in question.
Anyway - enough of the acl lesson.. the whole point here is that when you say something like 'permit ip any any', the IP means any IP traffic - anything - TCP, UDP, ESP, GRE, ICMP, and any of the other IP protocols defined in the URL I provided above. Nothing will be blocked.
Does this clarify things for you now?
tGc
No problem - glad it worked.
Chris:
Yes - I am sure that ACL's that are defined as IP will include ICMP. This is true on any Cisco ACL (PIX, IOS, etc.). Remember that ICMP is just one protocol inside of IP. TCP and UDP are the same. An access list reads like this:
access-list <name> permit/deny <IP Protocol> <source> <operator> <port> <destination> <operator> <port>
So, let's go through each of the things inside of the <>
<name> = ACL name.
<IP Protocol> = the IP protocol number, name, or IP itself as the name (which is the equivalent to ANY for this field). Our friends at IANA maintain the official list of IP protocol number assignments. www.iana.org/assignments/protocol-numbers
Common examples: ICMP = 1, TCP = 6, UDP = 17, GRE = 47, ESP = 50, etc. So, in this field, you can use most of the common protocol names, or you can choose any IP protocol number as needed. Again, specifying IP in this field means ANY/ALL IP protocol numbers.
<source> is the source IP address/subnet of the traffic inspect
<operator> is either equals, greater than, less than, or range... and affects the next field
<port> inside of each IP protocol, there are ports... 65535 of them. You can use common port names here, like http, ftp, etc. or you can specify the number. The operator and port numbers are generally not used in the source side of the ACL statements, however it is possible.
<destination> <operator> <port> - same as source, except for the destination of the traffic in question.
Anyway - enough of the acl lesson.. the whole point here is that when you say something like 'permit ip any any', the IP means any IP traffic - anything - TCP, UDP, ESP, GRE, ICMP, and any of the other IP protocols defined in the URL I provided above. Nothing will be blocked.
Does this clarify things for you now?
tGc
Time to create page: 0.110 seconds