You are denying ICMP explicitly because the ³permit ip any any² will allow all other ICMP traffic as that is included under IP.
On 6/18/09 11:10 PM, "Bauke Dzavhale" <[email protected]> wrote: > Just for clarification since the PG solution is slightly different... > > This is the way I have implemented this Task. > > ------------------------------------------------------------------------------> - > Task 8-1 > > R8 > > ip access-list VLANF extended > deny tcp any host 100.0.0.8 eq 23 > deny tcp 140.10.88.0 0.0.0.255 any range 20 21 > permit icmp any host 140.10.0.1 > permit icmp any host 140.10.0.2 > permit icmp any 140.10.0.4 0.0.0.5 > permit icmp any 140.10.0.35 0.0.0.3 > > permit icmp 140.10.0.1 any > permit icmp 140.10.0.2 any > permit icmp 140.10.0.4 0.0.0.5 any > permit icmp 140.10.0.35 0.0.0.3 any > > ! deny icmp any any > ! I do not think I need the previous entry...already included implicitly > permit ip any any > > interface f0/1 > ip access-group VLANF in > > Question 1: Is this an acceptable solution? > > Question 2: Do I need to explicitly deny ICMP in the end as done in the > solution (PG page > 360) ? My understanding is that ICMP will be implicitly denied... > > > Bauke > > > > Looking for the perfect gift? Give the gift of Flickr! > <http://www.flickr.com/gift/> Cheers, Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP Sr. Technical Instructor - IPexpert, Inc. URL: http://www.IPexpert.com Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Mailto: [email protected]
