Controlling ICMP traffic in extended ACLs
Where it is necessary to permit some types of ICMP traffic and deny other types, instead of simply permitting or denying all types of ICMP traffic use this option. An ACE designed to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual type of ICMP packet while not addressing other ICMP traffic types in the same ACE. As an optional alternative, the ACE can include the name of an ICMP packet type.
Syntax
{<deny | permit>} icmp <SA> <DA> [icmp-type [icmp-code]]
{<deny | permit> tcp} icmp <SA> <DA> [icmp-type-name]
In an extended ACL using
icmp
as the packet protocol type (see above), you can optionally specify an individual ICMP packet type or packet type/code pair to further define the criteria for a match. This option, if used, is entered immediately after the destination address
(DA)
entry. The following example shows two ACEs entered in a Named ACL context:
Example
#permit icmp any any host-unknown
#permit icmp any any 3 7
Syntax option
[icmp-type [icmp-code]]
icmp–type -
This value is in the range of 0 - 255 and corresponds to an ICMP packet type.
icmp–code -
This value is in the range of 0 - 255 and corresponds to an ICMP code for an ICMP packet type.
[icmp–type–name]
For more information on ICMP type names, visit the Internet Assigned Numbers Authority (IANA) website at
www.iana.com.
Select "Protocol Number Assignment Services", and then go to the selections under "Internet Control Message Protocol (ICMP) Parameters".
Syntax option
[icmp-type [icmp-code]]
These name options are an alternative to the methodology described above. For more information, visit the IANA website cited above.
administratively-prohibitednet-tos-unreachable
alternate-addressnet-unreachable
conversion-errornetwork-unknown
dod-host-prohibitedno-room-for-option
dod-net-prohibitedoption-missing
echopacket-too-big
echo-replyparameter-problem
general-parameter-problemport-unreachable
host-isolatedprecedence-unreachable
host-precedence-unreachableprotocol-unreachable
host-redirectreassembly-timeout
host-tos-redirectredirect
host-tos-unreachablerouter-advertisement
host-unknownrouter-solicitation
host-unreachablesource-quench
information-replysource-route-failed
information-requesttime-exceeded
mask-replytimestamp-reply
mask-requesttimestamp-request
mobile-redirecttraceroute
net-redirectttl-exceeded
net-tos-redirectunreachable