Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: IP vs ICMP

IP vs ICMP 11 years 2 months ago #10394

  • afdublin
  • afdublin's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
Does an "ip any any" statement in an access-list include icmp or does icmp access have to be configured independently.

--thanks
The administrator has disabled public write access.

Re: IP vs ICMP 11 years 2 months ago #10397

  • nske
  • nske's Avatar
  • Offline
  • Expert Member
  • Posts: 613
  • Karma: 0
ICMP works over IP so it is not really IP vs ICMP. From my experience with various packet-mangling software, "any" matches any available protocol, including ICMP. Though I can not verify it 100%, I would surprised if it was any different in CISCO's IOS or any other ;)
The administrator has disabled public write access.

Re: IP vs ICMP 11 years 2 months ago #10406

  • jwj
  • jwj's Avatar
  • Offline
  • Senior Member
  • Posts: 350
  • Karma: 0
I know from experience this is true :oops:

Yeah, doing ip any any will include anything with an IP header.
-Jeremy-
The administrator has disabled public write access.

Re: IP vs ICMP 11 years 2 months ago #10424

Hi Guys.

Yes- whether it be an access-list on a PIX or a router, saying 'ip any any' means ANY IP protocol number. It's not the 'ANY' that defines that part of it, by the way, its the "ip" part... (the Any's represent the source and destination IP addresses, just in case there was some confusion)

If you think of TCP/IP in layers, first you have the IP protocol layer. This can be TCP, UDP, ICMP, ESP, GRE, and the list goes on... Once you pick one, for example TCP, then you can deal with the next layer. Inside of TCP, you pick a port number for your traffic, say port 23 (which happens to be Telnet). Now toss some source and destination IP addresses in there and you've got yourself a 'socket', or an established communications session.

If you were interested in blocking ICMP for some reason, but wanted to let all other IP traffic pass, you would simply craft your access list to look like this:

access-list xyz deny icmp any any
access-list xyz permit ip any any

In access-lists, order is everything. They are read linearly - from beginning to end. Newer PIX and IOS code allows for the 'insertion' of a new ACL line in between existing ones by using sequence numbers (a very cool, and long overdue feature by the way).

Here's a good link for you if you are intersted in seeing a list of all of the IP Protocol codes and types presently defined:

www.iana.org/assignments/protocol-numbers

tGc
The administrator has disabled public write access.
Time to create page: 0.079 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup