Solved

ACL on Cisco router to restrict incoming traffic to ping only

Posted on 2004-09-14
7
626 Views
Last Modified: 2013-11-29
Hi Guys

I want to create an ACL to allow anything to leave my network via the ISDN interface of my Cisco router, but restrict incoming data to pings only. I don't want outgoing FTP sessions to be affected... does something magical need to happen for FTP?

I think this is something like...

access-list 151 allow ip any any

... then in my interface....

ip access-group 151 out

Not sure about the incoming ping bit!

Any information would be much appreciated.



Gareth
0
Comment
Question by:localgareth
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12052921
no information-reply

Cyber
0
 

Author Comment

by:localgareth
ID: 12052934
Cyber-Dude, when I said "any information"... I was hoping for a bit more than that :-D

Gareth
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12053014
Ah; I gave you the exact command;
Go to the following link -=[All info over there]=-

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_command_reference_chapter09186a008010a37a.html#wp1078414

Cyber
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 

Author Comment

by:localgareth
ID: 12053038
Oh rite... thanks.

So does this have precedence over ACLs? If incoming traffic is explicitly denied with an ACL, will "information-reply" over rule this?


Gareth
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12054236
You need to apply the acl "in" on the dialer interface

access-list 151 permit tcp any any established  <== fixes your FTp problem
access-list 151 permit udp any eq 53 any  <== permits DNS resolution
access-list 151 permit icmp any any echo-reply  <== so you can ping from inside out
access-list 151 permit icmp any any echo <== so anyone can ping you from the outside - bad idea
access-list 151 permit icmp any any time-exceeded (or ttl-exceeded) <== so you can traceroute from inside
access-list 151 permit icmp any any unreachable  <== good to get these messages

interface Dialer 1
  ip access-group 151 in

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12280448
Are you still working on this? Can we be of any more assistance?
Can you close out this question?
0
 

Author Comment

by:localgareth
ID: 12285428
Sorry for taking so long to get back...

Gareth
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question