ICMP Traffic with 8 IP Addresses

[mike1210]

Hello, not a major issue but one that is bugging me. I have an 8 IP address block with Zen and have always wondered what ICMP traffic should be allowed in and out, using a Cisco 877 router and a Multi-Nat config. So far searching around the posts I've found this post by FordPrefect.

I am guessing that you are using NAT on the firewall?

In that case allow all ICMP except echo(but allow echo-reply), timestamp and redirect(unlikey in your case that you would use them) to your firewall.

Outgoing from your network then allow ICMP out for everything redirect and time exceeded. Timestamps should be allowed when sourced from your network but anything requested outside should be blocked.

Im only allowing ICMP on the router address at the moment, should it be allowed on the full 8 IP range (maybe not the broadcast address????)

 

[m_cozzy]

Do you use any of the public ip's, apart from the routers? If no need to change. Personally I open up my netblock to allow the below icmp types incoming.

remark ALLOW ICMP
permit icmp any 8x.69.y.a 0.0.0.7 net-unreachable
permit icmp any 8x.69.y.a 0.0.0.7 host-unreachable
permit icmp any 8x.69.y.a 0.0.0.7 port-unreachable
permit icmp any 8x.69.y.a 0.0.0.7 administratively-prohibited
permit icmp any 8x.69.y.a 0.0.0.7 echo-reply
permit icmp any 8x.69.y.a 0.0.0.7 echo
permit icmp any 8x.69.y.a 0.0.0.7 packet-too-big
permit icmp any 8x.69.y.a 0.0.0.7 ttl-exceeded

 

[mike1210]

I do use the public IP's but i bind them to private IP addresses 192.168.1.10>217.155.xxx.xxx

so no machines have public IP addresses assigned to them as such