|
Posted by Scott Townsend on May 4, 2006, 10:31 am
> Which direction is that applied on?
interface MFR0.672 point-to-point
description WAN to SBC Internet Service
ip access-group 103 in
So should I be applying this to the MFR0 or Ethernet Interface??
I think I have a Few Issues.
I guess I Have to assign a Static NAT IP to the Users I want to be able to
Ping so the Edge Router knows who to let have the Ping Replies.
Since the Edge router is not doing the NAT, I have a PIX behind it, it cant
know which of the Public IPs is in the 10.1.1.0/24 network.
Hmmm...
Thank you!
>>On my Edge Router I have an Access list for ICMP as follows:
>>access-list 103 permit icmp any any time-exceeded
>>access-list 103 permit icmp any any port-unreachable
>>access-list 103 deny icmp any any
>>access-list 103 deny icmp any 0.0.0.0 255.255.255.0
>>access-list 103 deny icmp any 0.0.0.255 255.255.255.0
>>access-list 103 deny icmp any any redirect
> Which direction is that applied on?
>>I would like to be able to Initiate a Ping out from the 10.1.1.0/24, but
>>not
>>a from anywhere else and would like to not allow anyone to Ping us.
> In the ACL applied out,
> permit icmp 10.1.1.0 0.0.0.255 any echo
> In the ACL applied in,
> permit icmp any PUBLIC_IP PUBLIC_MASK echo-reply
> [PUBLIC_IP PUBLIC_MASK for the case where you are NAT'ing, which you
> need to be doing because RFC1918 does not allow you to source packets
> in any of the reserved IP ranges past the edge of your network.]
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map