?
Solved

how to block icmp and traceroute requests on cisco 2600 router

Posted on 2004-10-06
5
Medium Priority
?
12,942 Views
Last Modified: 2011-02-12
Hi all,

Can someone help me with blocking all ping and traceroute requests that are sent to our external router from the internet?

Here is my current configuration...

Building configuration...


!
!
!
!
ip subnet-zero
no ip finger
ip domain-name ALTER.NET
ip name-server 198.6.1.5
!
!
!
!
interface FastEthernet0/0
 description To Office FastEthernet
 ip address 208.196.79.1 255.255.255.0
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Serial0/0
 description To UUNET (wcomw0g73828)
 bandwidth 1536
 no ip address
 ip nat inside
 encapsulation frame-relay IETF
 no ip route-cache
 no ip mroute-cache
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 bandwidth 1536
 ip unnumbered FastEthernet0/0
 no ip unreachables
 no ip route-cache
 no ip mroute-cache
 frame-relay interface-dlci 500 IETF
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
access-list 10 permit 192.168.0.0 0.0.255.255
snmp-server community 0473e54cf9 RO
snmp-server enable traps snmp
!
line con 0
 password 1bb8be0cd3
 login
 transport preferred none
 transport input none
line aux 0
 password 1bb8be0cd3
 login
 modem InOut
 transport preferred none
 transport input all
 transport output pad v120 telnet rlogin udptn
 stopbits 1
 flowcontrol hardware
line vty 0 4
 password
 login
 transport preferred none
!
no scheduler allocate
end

Cisco-gw#


thanks,

0
Comment
Question by:holdebalance
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12240528
Easy enough...

access-list 101 deny icmp any any echo
access-list 101 permit ip any any

interface serial 0/0.1
  ip access-group 101 in

Then try pinging it from the outside, and use result of "show access-list 101" and see the hitcount..

This configuration permits the returning echo-reply if you try to ping something else...


 
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 12241667
That doesn't stop the traceroute though. Add this line in between the other 2:
access-list 101 deny udp any any gt 32768
0
 

Author Comment

by:holdebalance
ID: 12258090
Great thanks for the help.......one more thing how would i block telnet to my router from the outside world....

would i add a line like this?

access-list 101 deny telnet any any echo


thanks!!!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12258130
almost
   access-list 101 deny tcp any host 208.196.79.1 eq telnet
   access-list 101 deny icmp any any echo
   access-list 101 deny udp any any gt 32768
   access-list 101 permit ip any any

Order is important, make sure that the permit any any is always last.



0
 
LVL 3

Expert Comment

by:davdjevans
ID: 26543809
A word of warning: The accepted solution would block all udp traffic with a high port number, which is a bit excessive. Another option would be to use:
     access-list 101 deny icmp any any ttl-exceeded
     access-list 101 deny icmp any any port-unreachable
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question