[c-nsp] ICMP filtering policy
M.Palis
security at cytanet.com.cy
Thu Mar 10 05:51:29 EST 2005
Hello all
I will like have your suggestion about icmp filtering policy at an ISP
perimeter network . After some research I figured out that the following
ICMP filtering policy can be well established in an ISP perimeter network.
Note that as an ISP we need to have pings and trace routes open and block
them only for our core IP subnets.
deny icmp any any fragments
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any source-quench
deny icmp any *CORE NETWORK Addressess*
permit icmp any any traceroute
permit icmp any any echo
permit icmp any any echo-reply
deny icmp any any
Waiting for your suggestions
More information about the cisco-nsp
mailing list