[c-nsp] VPN blocked from access list

Pekka Savola pekkas at netcore.fi
Tue Aug 24 09:20:32 EDT 2004


On Tue, 24 Aug 2004, Niels Bakker wrote:
> * pauls at nexicom.net (Paul Stewart) [Tue 24 Aug 2004, 02:40 CEST]:
> > access-list 100 remark Specifically block ICMP fragments
> > access-list 100 deny   icmp any any fragments
> > access-list 100 remark Permit inbound ping.
> > access-list 100 permit icmp any any echo
> > access-list 100 remark Permit inbound ping response.
> > access-list 100 permit icmp any any echo-reply
> > access-list 100 remark Permit Path MTU to function.
> > access-list 100 permit icmp any any packet-too-big
> > access-list 100 remark Permit time exceeded messages for traceroute and loops.
> > access-list 100 permit icmp any any time-exceeded
> > access-list 100 remark And explicitly block all other ICMP packets
> > access-list 100 deny   icmp any any
> 
> I hope these aren't the only ICMP-related statements in your customer
> ACL as this causes their browsers to hang for a long time when
> attempting to reach a host with no web server running, since you block
> most ICMP (host, port, network) unreachable messages.

Actually, that causes a TCP RST, so that's OK, but there are a number
of good examples of unreachable messages which cause a lot of pain if
blocked.

For example, many firewalls send ICMP unreachables, and many stacks
react to those if received in connection set-up phase.  Blocking them
causes connection timeouts and makes debugging more difficult, for
example.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings



More information about the cisco-nsp mailing list