TCP intercept feature, the access list blocks packets from unreachable hosts; thus, it only

allows reachable external hosts to initiate connections to a host on the protected network (e.g., 14.2.6.0). In intercept mode the router intercepts a TCP connection and determines if a host is reachable. If successful, the router establishes the connection; otherwise, it prevents the connection. This protection does not stop reachable hosts from performing this attack against the router or the protected networks. Router(config)# ip tcp intercept list 100 Router(config)# access-list 100 permit tcp any 14.2.6.0 0.0.0.255 Router(config)# access-list 100 deny ip any any log Router(config)# interface e0/0 Router(config-if)# description "external interface" Router(config-if)# ip access-group 100 in . The following commands show how to allow outbound from the protected network (e.g., 14.2.6.0) only the following ICMP message types: Echo, Parameter Problem and Source Quench. Router(config)# access-list 102 permit icmp 14.2.6.0 0.0.0.255 any echo Router(config)# access-list 102 permit icmp 14.2.6.0 0.0.0.255 any parameterproblem Router(config)# access-list 102 permit icmp 14.2.6.0 0.0.0.255 any sourcequench Router(config)# access-list 102 deny icmp any any log The following commands show how to allow inbound to the protected network (e.g.,
Next topic
Previous topic