Meant to say that 8 here is type and 0 is code. From: [email protected] [mailto:[email protected]] On Behalf Of Eugene Pefti Sent: Wednesday, June 20, 2012 4:47 PM To: Imre Oszkar; Fawad Khan Cc: [email protected] Subject: Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 72, Issue 75
I'd say the same, type and code are different. I have always been simulating packet flow on the ASA using packet-tracer by specifying both type and code like this (simulating ICMP echo) packet-tracer input inside icmp 1.1.1.1 8 0 2.2.2.2 From: [email protected] [mailto:[email protected]] On Behalf Of Imre Oszkar Sent: Wednesday, June 20, 2012 3:45 PM To: Fawad Khan Cc: [email protected] Subject: Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 72, Issue 75 I have to disagree with you on this:) I don't think that ICMP type and code are the same. For instance Type 3 code 0 means Net Unreachable so if you match only by code you will drop/pass more than icmp echo/reply. Take a look here: http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml#icmp-parameters-types On Wed, Jun 20, 2012 at 3:27 PM, Fawad Khan <[email protected]<mailto:[email protected]>> wrote: Icmp Code/ type 0 mean echo request and icmp code/type 8 means echo reply. Type/code 3 means Icmp unreachable. Code and type means the same thing, memorizing or knowing where to find the Icmp code types or any port number is very important. I sent a link couple of months back which is inside Asa config guide which serial all the port numbers, protocols numbers. On Wednesday, June 20, 2012, Imre Oszkar wrote: Hi Mike, Why did you choose to look for code 0? Code 0 means different thing for each ICMP type. I think for echo messages you should look for icmp type 8 . Now the interesting part is that if you try to match icmp type 8 instead of code 8 your solution won't work. Oszkar Annnnnnnd Bingo, I was right, since it is encapsulated and not Encrypted, we can match whatever it is inside on the GRE packet... we are matching, not crafting.... Here is the example of dropping ICMP echo messages encapsulated on GRE... Class Map type access-control match-all ICMP (id 2) Match field ICMP code eq 0 mask 0x1 Class Map type stack match-all STACK-GRE (id 1) Match field IP protocol eq 0x2F next ICMP Policy Map type access-control STACK-GRE Class STACK-GRE service-policy ICMP-DROP-GRE Policy Map type access-control ICMP-DROP-GRE Class ICMP drop Router1#sh policy-map type access-control interface fa 0/1 FastEthernet0/1 Service-policy access-control input: STACK-GRE Class-map: STACK-GRE (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field IP protocol eq 0x2F next ICMP Service-policy access-control : ICMP-DROP-GRE Class-map: ICMP (match-all) 5 packets, 690 bytes 5 minute offered rate 0 bps Match: field ICMP code eq 0 mask 0x1 drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Class-map: class-default (match-any) 2 packets, 1236 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any -- FNK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
