Solved

how to block icmp and traceroute requests on cisco 2600 router

Posted on 2004-10-06
5
12,627 Views
Last Modified: 2011-02-12
Hi all,

Can someone help me with blocking all ping and traceroute requests that are sent to our external router from the internet?

Here is my current configuration...

Building configuration...


!
!
!
!
ip subnet-zero
no ip finger
ip domain-name ALTER.NET
ip name-server 198.6.1.5
!
!
!
!
interface FastEthernet0/0
 description To Office FastEthernet
 ip address 208.196.79.1 255.255.255.0
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Serial0/0
 description To UUNET (wcomw0g73828)
 bandwidth 1536
 no ip address
 ip nat inside
 encapsulation frame-relay IETF
 no ip route-cache
 no ip mroute-cache
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 bandwidth 1536
 ip unnumbered FastEthernet0/0
 no ip unreachables
 no ip route-cache
 no ip mroute-cache
 frame-relay interface-dlci 500 IETF
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
access-list 10 permit 192.168.0.0 0.0.255.255
snmp-server community 0473e54cf9 RO
snmp-server enable traps snmp
!
line con 0
 password 1bb8be0cd3
 login
 transport preferred none
 transport input none
line aux 0
 password 1bb8be0cd3
 login
 modem InOut
 transport preferred none
 transport input all
 transport output pad v120 telnet rlogin udptn
 stopbits 1
 flowcontrol hardware
line vty 0 4
 password
 login
 transport preferred none
!
no scheduler allocate
end

Cisco-gw#


thanks,

0
Comment
Question by:holdebalance
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12240528
Easy enough...

access-list 101 deny icmp any any echo
access-list 101 permit ip any any

interface serial 0/0.1
  ip access-group 101 in

Then try pinging it from the outside, and use result of "show access-list 101" and see the hitcount..

This configuration permits the returning echo-reply if you try to ping something else...


 
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 12241667
That doesn't stop the traceroute though. Add this line in between the other 2:
access-list 101 deny udp any any gt 32768
0
 

Author Comment

by:holdebalance
ID: 12258090
Great thanks for the help.......one more thing how would i block telnet to my router from the outside world....

would i add a line like this?

access-list 101 deny telnet any any echo


thanks!!!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 12258130
almost
   access-list 101 deny tcp any host 208.196.79.1 eq telnet
   access-list 101 deny icmp any any echo
   access-list 101 deny udp any any gt 32768
   access-list 101 permit ip any any

Order is important, make sure that the permit any any is always last.



0
 
LVL 3

Expert Comment

by:davdjevans
ID: 26543809
A word of warning: The accepted solution would block all udp traffic with a high port number, which is a bit excessive. Another option would be to use:
     access-list 101 deny icmp any any ttl-exceeded
     access-list 101 deny icmp any any port-unreachable
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Asymmetric Routing (Firewall) 3 61
WAN IP Conflict on Sonicwall 5 60
Sonicwall routing between VPNs 5 28
EIGRP Full Mesh 2 36
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now