Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 643
  • Last Modified:

ACL on Cisco router to restrict incoming traffic to ping only

Hi Guys

I want to create an ACL to allow anything to leave my network via the ISDN interface of my Cisco router, but restrict incoming data to pings only. I don't want outgoing FTP sessions to be affected... does something magical need to happen for FTP?

I think this is something like...

access-list 151 allow ip any any

... then in my interface....

ip access-group 151 out

Not sure about the incoming ping bit!

Any information would be much appreciated.



Gareth
0
localgareth
Asked:
localgareth
  • 3
  • 2
  • 2
1 Solution
 
Cyber-DudeCommented:
no information-reply

Cyber
0
 
localgarethAuthor Commented:
Cyber-Dude, when I said "any information"... I was hoping for a bit more than that :-D

Gareth
0
 
Cyber-DudeCommented:
Ah; I gave you the exact command;
Go to the following link -=[All info over there]=-

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_command_reference_chapter09186a008010a37a.html#wp1078414

Cyber
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
localgarethAuthor Commented:
Oh rite... thanks.

So does this have precedence over ACLs? If incoming traffic is explicitly denied with an ACL, will "information-reply" over rule this?


Gareth
0
 
lrmooreCommented:
You need to apply the acl "in" on the dialer interface

access-list 151 permit tcp any any established  <== fixes your FTp problem
access-list 151 permit udp any eq 53 any  <== permits DNS resolution
access-list 151 permit icmp any any echo-reply  <== so you can ping from inside out
access-list 151 permit icmp any any echo <== so anyone can ping you from the outside - bad idea
access-list 151 permit icmp any any time-exceeded (or ttl-exceeded) <== so you can traceroute from inside
access-list 151 permit icmp any any unreachable  <== good to get these messages

interface Dialer 1
  ip access-group 151 in

0
 
lrmooreCommented:
Are you still working on this? Can we be of any more assistance?
Can you close out this question?
0
 
localgarethAuthor Commented:
Sorry for taking so long to get back...

Gareth
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now