Solved

ACL on Cisco router to restrict incoming traffic to ping only

Posted on 2004-09-14
7
605 Views
Last Modified: 2013-11-29
Hi Guys

I want to create an ACL to allow anything to leave my network via the ISDN interface of my Cisco router, but restrict incoming data to pings only. I don't want outgoing FTP sessions to be affected... does something magical need to happen for FTP?

I think this is something like...

access-list 151 allow ip any any

... then in my interface....

ip access-group 151 out

Not sure about the incoming ping bit!

Any information would be much appreciated.



Gareth
0
Comment
Question by:localgareth
  • 3
  • 2
  • 2
7 Comments
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12052921
no information-reply

Cyber
0
 

Author Comment

by:localgareth
ID: 12052934
Cyber-Dude, when I said "any information"... I was hoping for a bit more than that :-D

Gareth
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12053014
Ah; I gave you the exact command;
Go to the following link -=[All info over there]=-

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_command_reference_chapter09186a008010a37a.html#wp1078414

Cyber
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:localgareth
ID: 12053038
Oh rite... thanks.

So does this have precedence over ACLs? If incoming traffic is explicitly denied with an ACL, will "information-reply" over rule this?


Gareth
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12054236
You need to apply the acl "in" on the dialer interface

access-list 151 permit tcp any any established  <== fixes your FTp problem
access-list 151 permit udp any eq 53 any  <== permits DNS resolution
access-list 151 permit icmp any any echo-reply  <== so you can ping from inside out
access-list 151 permit icmp any any echo <== so anyone can ping you from the outside - bad idea
access-list 151 permit icmp any any time-exceeded (or ttl-exceeded) <== so you can traceroute from inside
access-list 151 permit icmp any any unreachable  <== good to get these messages

interface Dialer 1
  ip access-group 151 in

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12280448
Are you still working on this? Can we be of any more assistance?
Can you close out this question?
0
 

Author Comment

by:localgareth
ID: 12285428
Sorry for taking so long to get back...

Gareth
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question