• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 13224
  • Last Modified:

how to block icmp and traceroute requests on cisco 2600 router

Hi all,

Can someone help me with blocking all ping and traceroute requests that are sent to our external router from the internet?

Here is my current configuration...

Building configuration...


!
!
!
!
ip subnet-zero
no ip finger
ip domain-name ALTER.NET
ip name-server 198.6.1.5
!
!
!
!
interface FastEthernet0/0
 description To Office FastEthernet
 ip address 208.196.79.1 255.255.255.0
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Serial0/0
 description To UUNET (wcomw0g73828)
 bandwidth 1536
 no ip address
 ip nat inside
 encapsulation frame-relay IETF
 no ip route-cache
 no ip mroute-cache
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 bandwidth 1536
 ip unnumbered FastEthernet0/0
 no ip unreachables
 no ip route-cache
 no ip mroute-cache
 frame-relay interface-dlci 500 IETF
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
access-list 10 permit 192.168.0.0 0.0.255.255
snmp-server community 0473e54cf9 RO
snmp-server enable traps snmp
!
line con 0
 password 1bb8be0cd3
 login
 transport preferred none
 transport input none
line aux 0
 password 1bb8be0cd3
 login
 modem InOut
 transport preferred none
 transport input all
 transport output pad v120 telnet rlogin udptn
 stopbits 1
 flowcontrol hardware
line vty 0 4
 password
 login
 transport preferred none
!
no scheduler allocate
end

Cisco-gw#


thanks,

0
holdebalance
Asked:
holdebalance
1 Solution
 
lrmooreCommented:
Easy enough...

access-list 101 deny icmp any any echo
access-list 101 permit ip any any

interface serial 0/0.1
  ip access-group 101 in

Then try pinging it from the outside, and use result of "show access-list 101" and see the hitcount..

This configuration permits the returning echo-reply if you try to ping something else...


 
0
 
mikebernhardtCommented:
That doesn't stop the traceroute though. Add this line in between the other 2:
access-list 101 deny udp any any gt 32768
0
 
holdebalanceAuthor Commented:
Great thanks for the help.......one more thing how would i block telnet to my router from the outside world....

would i add a line like this?

access-list 101 deny telnet any any echo


thanks!!!
0
 
lrmooreCommented:
almost
   access-list 101 deny tcp any host 208.196.79.1 eq telnet
   access-list 101 deny icmp any any echo
   access-list 101 deny udp any any gt 32768
   access-list 101 permit ip any any

Order is important, make sure that the permit any any is always last.



0
 
davdjevansCommented:
A word of warning: The accepted solution would block all udp traffic with a high port number, which is a bit excessive. Another option would be to use:
     access-list 101 deny icmp any any ttl-exceeded
     access-list 101 deny icmp any any port-unreachable
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now