[c-nsp] VPN blocked from access list
Niels Bakker
niels=cisco-nsp at bakker.net
Tue Aug 24 07:15:06 EDT 2004
* pauls at nexicom.net (Paul Stewart) [Tue 24 Aug 2004, 02:40 CEST]:
> access-list 100 remark Specifically block ICMP fragments
> access-list 100 deny icmp any any fragments
> access-list 100 remark Permit inbound ping.
> access-list 100 permit icmp any any echo
> access-list 100 remark Permit inbound ping response.
> access-list 100 permit icmp any any echo-reply
> access-list 100 remark Permit Path MTU to function.
> access-list 100 permit icmp any any packet-too-big
> access-list 100 remark Permit time exceeded messages for traceroute and loops.
> access-list 100 permit icmp any any time-exceeded
> access-list 100 remark And explicitly block all other ICMP packets
> access-list 100 deny icmp any any
I hope these aren't the only ICMP-related statements in your customer
ACL as this causes their browsers to hang for a long time when
attempting to reach a host with no web server running, since you block
most ICMP (host, port, network) unreachable messages.
ICMP is an integral part of IP, and the Internet needs it in order to
function correctly.
-- Niels.
--
More information about the cisco-nsp
mailing list