ACL Questions

Hey Everybody,

I have two questions concerning Access-Lists. My first question is, if you don't create any access-lists at all, are all hosts able to communicate with all hosts by default?

Also, I know how to deny telnet with an extended ACL, but not to deny a ping. Would I use port 7:echo to deny, or how would that work?

Thanks.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

mikej412

gravyjoe wrote:

My first question is, if you don't create any access-lists at all, are all hosts able to communicate with all hosts by default?

Yes, as long as you have connectivity, name resolution, and routing protocols to let you find stuff....

gravyjoe wrote:

Also, I know how to deny telnet with an extended ACL, but not to deny a ping. Would I use port 7:echo to deny, or how would that work?

echo just echos back packets.... different from ping (ICMP packets)

ICMP is protocol 1 (I think, in the IPv4 header).... so you can
access-list 177 deny ICMP ...... etc

but I think you can also break it down into the different ICMP types....
access-list 177 deny ICMP ....... echo-reply
and/or
access-list 177 deny ICMP ....... echo

It's Friday of a long/late night week -- Guinness, Guinness, Guinness, and eventually pizza -- so your homework is to research and confirm/deny what I just typed....

<but I fixed the obvious Guinness induced typos>

gravyjoe

Thanks Mike.