Icmp and concept of their messages (echo-reply, time-exceeded,,etc)
If we have these type of ACLs
permt icmp any any echo-reply
permt icmp any any time-exceeded
permt icmp any any port-unreachable
As we know that an echo-reply means, if I send an echo-request, I am going to expect to receive an ech-reply,,,,(i.e. an echo-reply is response (result) to an echo-request.,,,to my knowledge an echo-reply can not be initiated unless there is an echo-request,,,Am I right ? )
1- Does all other types of icmp messages relay on an echo-request as well (i.e. behave as an echo-reply ) ? or they are independent ?
2- Does an ACL statement "deny icmp any any ", deny all types of icmp messages ?
Suppose I have got R1 with these reflexive ACL
R1:
ip access-list extended FILTER-IN
permit icmp 10.0.0.0 0.0.0.255 any reflect GOODGUYS
permit ip any any
ip access-list extended FILTER-OUT
deny udp any any eq snmp
permit icmp any any time-exceeded
permit icmp any any port-unreachable
evaluate GOODGUYS
deny icmp any any
permit ip any any
interface Ethernet0/1
ip access-group FILTER-IN in
ip access-group FILTER-OUT out
FILTER-IN list monitors packet data as it is sent into the E0/1 interface. The data is captured and put into a temporary list called GOODGUYS.
The FILTER-OUT list looks at the data stored in GOODGUYS and monitor TCP/IP traffic being delivered out the E0/1 interface.
Any TCP/IP traffic that originated from the 10.0.0.0 network is allowed to come back into the network.
1- Does the traffic will be filtered only on base of icmp protocol ?
2- How does the reflaxive ACL check the originate of packet ? does it compare the destination ip address of a returned packet with the source ip address of a dispatched packet ?
3- What will the case be if I replaced the "permit icmp 10.0.0.0 0.0.0.255 any reflect GOODGUYS" with "permit ip (instead of icmp) 10.0.0.0 0.0.0.255 any reflect GOODGUYS" ? Am I going to include permission of an icmp packet as well?
Similar Messages
-
I can not sync with itunes iphone , is catching, and when it begins to sync is a long time and then appears a message that no time to help sincronização.Me am without some music
You are correct. Syncing should transfer any purchased media, including videos, from your device to your iTunes library provided your computer is authorized for the Apple ID used to make these purchases. You mentioned that you have uninstalled iTunes before, but if you didn't follow this guide exactly, uninstalling iTunes and all of its components in the order specified, it may not have been successful so you should try again: Windows XP or Windows Vista/7.
-
How to suppress the Forms special message on run time (forms 6i)
Hi,
I am using forms 6i and got the following message on run time. How do I suppress this message on run time? I don�t know the message code of this message, may be it is the prompt or some other type of message.
However I also used the system variable MESSAGE_LEVEL to suppress this message but it did not suppress.
For Example:
:SYSTEM.MESSAGE_LEVEL := '25';
Please send the code to suppress this message.
FORM MESSAGE:
Oracle Forms 6.0
Use the Windows Program Manager to execute operating system commands.
Thanks
AmitDear Frank,
Thanks for reply.As you said I keep the value <NULL> in the Form Module properties palette.But that forms message did not suppress and it still display.The message is:
Oracle Forms 6.0
Use the Windows Program Manager to execute operating system commands
Could you please give me its solution how to avoid that message?
Thanks
AMIT -
How to make tcp have establish option's function or reflexive in ASA like icmp have echo reply
how to make tcp have establish option's function or reflexive in ASA like icmp have echo reply
rather than permit tcp in both sideAn ASA firewall is stateful.
The reflexive access for TCP connections (or UDP flows) is allowed by default as the firewall checks for established connections prior to applying an access-list on traffic that arrives at an interface.
Excerpted from this document (emphasis mine):
"Here are the individual steps in detail:
Packet is reached at the ingress interface.
Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.
Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access-control list (ACL) check is bypassed, and the packet is moved forward.
If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged." -
Hi. I have shared an Apple ID with my children for some time. As they are getting older they do not wnat me seeing all their messages, photos etc so want their own accounts. How can they access their purchased music and apps on the new account please?
Yes.
On their iOS devices, under Settings>iTunes & App Store, they should use your Apple ID. When they log into iCloud, iMessage and Facetime, they should use their personal Apple IDs. -
Is it possible to send a text from the iphone 4s to several contacts and not have their replies go to everyone else on the original text? I have group messaging turned off but this seems to do nothing.
Do this instead:
Email everyone instead of texting and use BCC: which will hide all of the people's emails. -
My young kids have ipads and since I updated the software, but they have their own icloud account, predictive text within their messages shows all my contacts from my iphone but the contacts are not listed as their contacts, how do I stop this?
I have deleted the iCloud account under my name on their iPads and replaced with their ones. Apple support said yesterday I needed to click the small 'I' by each name as it came up in the TO box and remove it. After doing rid for each contact under each letter of the alphabet it should remove them from latest contacts. Having done this, although I could not remove groups I had sent, I am not convinced they will not return once I have written a few texts, any ideas?
-
i added 3 contacts and saved on my iphone 5, but do not appear on my list of contacts. the names appear when they text or call me. I have to go search for their messages when i need to call them?
Try to restore your iphone via iTunes or update to ios6.1.2.
If itunes gives an error with restoring (DFU/Recovery or just normal)
try this:
open your computer and search on windows; C://windows/system32/drivers/etc/hosts
open up the hosts file in note pad you will see IP adresses and more add another line and put in this:
#74.208.10.249 gs.apple.com
this is a by-pass to the cydia/saurik restore server, it has nothing to do with jailbreaking over voiding apple's warranty
let me know if succeeded! -
Would any iphone 5 come with out a setup on it ? i got a new iphone and their wasnt a setup and there was a message from an unknown number.
frm a local dealer.. but he said me that the phone is a brandnew one. he said me that european phone's come without a setup.
-
ACL filtering icmp ECHO-Reply Behavior
Hello Guys....
I needed some help here.....i have attached the topology with this in case you dont get what iam trying to ask
i have just 2 routers connected directly like this...... R1<------------> R2, The network between them is 10.1.12.0/24, R1 has an ip address of
10.1.12.1 & R2 has an ip address of 10.1.12.2.....Well so far so good hmmm
Now the Question is simple i want to block ICMP echo-reply's coming from R1 to R2 simple as that But it only works if i apply an ACL on R2's
Interface in the INBOUND Direction why on earth it dosent work if i apply the ACL on R1's interface in the OUTBOUND direction ???
THE ACL is this one# access-list 100 deny icmp host 10.1.12.1 host 10.1.12.2 echo-reply
access-list 100 permit ip any any
It works if i apply this in the inbound direction of R2 but why dosen't it work if i apply this in the OUTBOUND direction of R1?
Please do help me out thanks :)Hi,
I believe that's because "Access lists that are applied to interfaces do not filter traffic that originates from that router."
See http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacls.html#wp1001135
for details.
Best regards,
Milan -
Can't receive messages but I can send them to people without iphones i uses to get their messages and then i just stopped receiving them i cant even receive a message to check my data
Hi Tnolen15,
If you are having issues sending or receiving messages from a specific contact (in this case, your wife), you may find this portion of the following article helpful (ignore the numbering):
If the issue occurs with a specific contact or contacts, back up or forward important messages and delete your current messaging threads with the contact. Create a new message to the contact and try again.
If the issue occurs with a specific contact or contacts, delete and recreate the contact in the Contacts app. Create a new message to the newly created contact and try again.
iOS: Troubleshooting Messages
http://support.apple.com/kb/ts2755
Regards,
- Brenden -
Unable to send messages and "send" function is unavailable when replying to a message.
I m unable to send messages and "send" function is unavailable when replying to a message.
My device is BB device model is 7290
IT Support AnalystTypically this means a corrupt xxxxx [CMIME] service book. Go to Options > Advanced Options > Service Books. Highlight the xxxxx [CMIME] service book and press delete. Wait 30 seconds click the track wheel and select undelete. If this doesnt work you can have the service books resent by your BES admin (if BES connected) or send them to yourself from the BIS website (if its a BIS account).
-
My iMessage won't let me text one specific person but will let message anyone else and also it keeps freezing and exiting out without letting me reply to the other person can someone please help me it's really aggravating and frustrating please and thank you my fellow apple users friends
Can the person Message you? If yes can you reply?
Try:
- Reset the iOS device. Nothing will be lost
Reset iOS device: Hold down the On/Off button and the Home button at the same time for at
least ten seconds, until the Apple logo appears.
- Go to Settings>Messages>Send and Receive and sign ut and sign back in
- Reset all settings
Go to Settings > General > Reset and tap Reset All Settings.
All your preferences and settings are reset. Information (such as contacts and calendars) and media (such as songs and videos) aren’t affected.
- Restore from backup. See:
iOS: How to back up
- Restore to factory settings/new iOS device. -
PI 7.0 SOAP message reply HTTP 500 and after the fault message
Hello Everybody,
I have the scenario RFC -> XI -> SOAP in synchronous mode.
I use for the mapping XSLT because I have to put some dynamic data comming from the RFC in the header of envelope.
At level of adapter receiver SOAP , I flag the "do not use envelop"
In normal, that works .
When the is an fonctionnal error in SOAP service, it sends me back an error HTTP 500 and afterwards the fault message in a soap envelop format. In that case, how can I pass over this error to treat the envelop because in adapter, it is stopped and it returns a short dump to the RFC.
Is there somebody who can help me with this problem ?
Thanks in adavance for your answers .
Regards.
Eric.Hi,
In case of a SOAP error while processing the request, the SOAP HTTP server MUST issue an HTTP 500 "Internal Server Error" response and include a SOAP message in the response containing a SOAP Fault element
Thanks,
RamuV -
ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working
I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network.
Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either. Any ideas what I could be missing in my configuration? I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
ASA Version 8.2(1)
hostname fw
domain-name net.com
enable password eYKAfQL1.ZSbcTXZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface Ethernet0/0
description Primary Outside (Internet)
speed 10
duplex full
nameif outside
security-level 0
ip address 1.1.1.5 255.255.255.240
ospf cost 10
interface Ethernet0/1
description inside
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
ospf cost 10
interface Ethernet0/2
description WLAN
nameif WLAN
security-level 100
ip address 192.168.108.240 255.255.255.0
ospf cost 10
interface Ethernet0/3
description Secondary Outside (Internet)
speed 100
duplex full
nameif WAN2
security-level 0
ip address 2.2.2.133 255.255.255.192
interface Management0/0
description LAN/STATE Failover Interface
time-range after_hours
periodic weekdays 7:00 to 23:00
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup WLAN
dns server-group DefaultDNS
retries 3
timeout 5
name-server 8.8.8.8
name-server 206.191.0.210
name-server 4.2.2.1
name-server 4.2.2.2
domain-name net.com
access-list WAN2_access_in extended permit icmp any any echo-reply
access-list WAN2_access_in extended permit icmp any any time-exceeded
access-list WAN2_access_in extended permit icmp any any source-quench
access-list WAN2_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit icmp any any echo-reply
access-list WLAN_access_in extended permit icmp any any time-exceeded
access-list WLAN_access_in extended permit icmp any any source-quench
access-list WLAN_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
access-list WLAN_access_in extended permit ip any any
access-list time_based extended permit ip any any time-range after_hours
access-list split_tunnel standard permit host 206.191.0.210
access-list split_tunnel standard permit host 206.191.0.140
access-list split_tunnel standard permit host 207.181.101.4
access-list split_tunnel standard permit host 207.181.101.5
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
pager lines 20
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WLAN 1500
mtu WAN2 1500
ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface WAN2
failover
failover lan unit secondary
failover lan interface FO Management0/0
failover key *****
failover link FO Management0/0
failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any WLAN
icmp permit any WAN2
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (WAN2) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (WLAN) 1 192.168.108.0 255.255.255.0
static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group WLAN_access_in in interface WLAN
access-group WAN2_access_in in interface WAN2
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.108.0 255.255.255.0 WLAN
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh scopy enable
ssh 2.2.2.132 255.255.255.255 outside
ssh 69.17.141.134 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.108.0 255.255.255.0 WLAN
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.108.11-192.168.108.239 WLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 128.100.100.128
ntp server 132.246.168.148
ntp server 128.100.56.135
tftp-server inside 192.168.1.100 /
webvpn
group-policy Wifi internal
group-policy Wifi attributes
wins-server none
dns-server value 206.191.0.210 206.191.0.140
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
tunnel-group Wifi type remote-access
tunnel-group Wifi general-attributes
address-pool DHCP
default-group-policy Wifi
tunnel-group Wifi ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
prompt hostname context
Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
: end
asdm image disk0:/asdm-621.bin
asdm location 192.168.1.245 255.255.255.255 inside
asdm location 192.168.1.252 255.255.255.255 inside
asdm history enableHi,
I can't see any problems right away in the configuration.
I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
packet-tracer input outside tcp 1.1.1.1 12345 22
packet-tracer input outside icmp 1.1.1.1 8 0
Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
Also, have you made sure that there is no old translations active on the ASA?
You can use this command to view those
show xlate local 192.168.1.100
You can clear the xlates with
clear xlate local 192.168.1.100
- Jouni
Maybe you are looking for
-
How do I keep the source document open when linking to a target document using the destination option in Adobe X? Have several links to create in the source document and want to keep the source document and target document open at the same time.
-
[svn] 838: Merging change 837 from 3.0.x
Revision: 838 Author: [email protected] Date: 2008-03-17 12:38:18 -0700 (Mon, 17 Mar 2008) Log Message: Merging change 837 from 3.0.x Bug: BLZ-82-HTTP response headers with duplicate names are lost QA: Yes - please test that response *and* request he
-
Batch not transfered from receivables to GL
Hej, 2 Dyas ago concurrent mangare went down and now batches are not trasnfered to GL from AR , system version is 11.5.10.2. There is a record in table ar_posting_control with status running, After that all the record are trasnfered but this job is s
-
Can IXOS (OPENTEXT) handle digitally signed PDF documents
Hi All, we have requirement where we want to store digitally signed PDF documents in IXOS (OPENTEXT) server and view them using IXOS viewer. I have tried to save one digitally sighed PDF but it was also password protected and I was not able to open
-
Hi Everyone, If i need to open specfic port on ASA so that it allow the traffic for that. What are different ways to open port using CLI? Thanks Mahesh