Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ACL on Cisco router to restrict incoming traffic to ping only

Posted on 2004-09-14
7
Medium Priority
?
636 Views
Last Modified: 2013-11-29
Hi Guys

I want to create an ACL to allow anything to leave my network via the ISDN interface of my Cisco router, but restrict incoming data to pings only. I don't want outgoing FTP sessions to be affected... does something magical need to happen for FTP?

I think this is something like...

access-list 151 allow ip any any

... then in my interface....

ip access-group 151 out

Not sure about the incoming ping bit!

Any information would be much appreciated.



Gareth
0
Comment
Question by:localgareth
  • 3
  • 2
  • 2
7 Comments
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12052921
no information-reply

Cyber
0
 

Author Comment

by:localgareth
ID: 12052934
Cyber-Dude, when I said "any information"... I was hoping for a bit more than that :-D

Gareth
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12053014
Ah; I gave you the exact command;
Go to the following link -=[All info over there]=-

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_command_reference_chapter09186a008010a37a.html#wp1078414

Cyber
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:localgareth
ID: 12053038
Oh rite... thanks.

So does this have precedence over ACLs? If incoming traffic is explicitly denied with an ACL, will "information-reply" over rule this?


Gareth
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12054236
You need to apply the acl "in" on the dialer interface

access-list 151 permit tcp any any established  <== fixes your FTp problem
access-list 151 permit udp any eq 53 any  <== permits DNS resolution
access-list 151 permit icmp any any echo-reply  <== so you can ping from inside out
access-list 151 permit icmp any any echo <== so anyone can ping you from the outside - bad idea
access-list 151 permit icmp any any time-exceeded (or ttl-exceeded) <== so you can traceroute from inside
access-list 151 permit icmp any any unreachable  <== good to get these messages

interface Dialer 1
  ip access-group 151 in

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12280448
Are you still working on this? Can we be of any more assistance?
Can you close out this question?
0
 

Author Comment

by:localgareth
ID: 12285428
Sorry for taking so long to get back...

Gareth
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This program is used to assist in finding and resolving common problems with wireless connections.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question