Solved

how to block icmp and traceroute requests on cisco 2600 router

Posted on 2004-10-06
5
12,764 Views
Last Modified: 2011-02-12
Hi all,

Can someone help me with blocking all ping and traceroute requests that are sent to our external router from the internet?

Here is my current configuration...

Building configuration...


!
!
!
!
ip subnet-zero
no ip finger
ip domain-name ALTER.NET
ip name-server 198.6.1.5
!
!
!
!
interface FastEthernet0/0
 description To Office FastEthernet
 ip address 208.196.79.1 255.255.255.0
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Serial0/0
 description To UUNET (wcomw0g73828)
 bandwidth 1536
 no ip address
 ip nat inside
 encapsulation frame-relay IETF
 no ip route-cache
 no ip mroute-cache
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 bandwidth 1536
 ip unnumbered FastEthernet0/0
 no ip unreachables
 no ip route-cache
 no ip mroute-cache
 frame-relay interface-dlci 500 IETF
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
access-list 10 permit 192.168.0.0 0.0.255.255
snmp-server community 0473e54cf9 RO
snmp-server enable traps snmp
!
line con 0
 password 1bb8be0cd3
 login
 transport preferred none
 transport input none
line aux 0
 password 1bb8be0cd3
 login
 modem InOut
 transport preferred none
 transport input all
 transport output pad v120 telnet rlogin udptn
 stopbits 1
 flowcontrol hardware
line vty 0 4
 password
 login
 transport preferred none
!
no scheduler allocate
end

Cisco-gw#


thanks,

0
Comment
Question by:holdebalance
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12240528
Easy enough...

access-list 101 deny icmp any any echo
access-list 101 permit ip any any

interface serial 0/0.1
  ip access-group 101 in

Then try pinging it from the outside, and use result of "show access-list 101" and see the hitcount..

This configuration permits the returning echo-reply if you try to ping something else...


 
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 12241667
That doesn't stop the traceroute though. Add this line in between the other 2:
access-list 101 deny udp any any gt 32768
0
 

Author Comment

by:holdebalance
ID: 12258090
Great thanks for the help.......one more thing how would i block telnet to my router from the outside world....

would i add a line like this?

access-list 101 deny telnet any any echo


thanks!!!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 12258130
almost
   access-list 101 deny tcp any host 208.196.79.1 eq telnet
   access-list 101 deny icmp any any echo
   access-list 101 deny udp any any gt 32768
   access-list 101 permit ip any any

Order is important, make sure that the permit any any is always last.



0
 
LVL 3

Expert Comment

by:davdjevans
ID: 26543809
A word of warning: The accepted solution would block all udp traffic with a high port number, which is a bit excessive. Another option would be to use:
     access-list 101 deny icmp any any ttl-exceeded
     access-list 101 deny icmp any any port-unreachable
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question