holdebalance
asked on
how to block icmp and traceroute requests on cisco 2600 router
Hi all,
Can someone help me with blocking all ping and traceroute requests that are sent to our external router from the internet?
Here is my current configuration...
Building configuration...
!
!
!
!
ip subnet-zero
no ip finger
ip domain-name ALTER.NET
ip name-server 198.6.1.5
!
!
!
!
interface FastEthernet0/0
description To Office FastEthernet
ip address 208.196.79.1 255.255.255.0
ip nat outside
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
interface Serial0/0
description To UUNET (wcomw0g73828)
bandwidth 1536
no ip address
ip nat inside
encapsulation frame-relay IETF
no ip route-cache
no ip mroute-cache
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
bandwidth 1536
ip unnumbered FastEthernet0/0
no ip unreachables
no ip route-cache
no ip mroute-cache
frame-relay interface-dlci 500 IETF
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
access-list 10 permit 192.168.0.0 0.0.255.255
snmp-server community 0473e54cf9 RO
snmp-server enable traps snmp
!
line con 0
password 1bb8be0cd3
login
transport preferred none
transport input none
line aux 0
password 1bb8be0cd3
login
modem InOut
transport preferred none
transport input all
transport output pad v120 telnet rlogin udptn
stopbits 1
flowcontrol hardware
line vty 0 4
password
login
transport preferred none
!
no scheduler allocate
end
Cisco-gw#
thanks,
Can someone help me with blocking all ping and traceroute requests that are sent to our external router from the internet?
Here is my current configuration...
Building configuration...
!
!
!
!
ip subnet-zero
no ip finger
ip domain-name ALTER.NET
ip name-server 198.6.1.5
!
!
!
!
interface FastEthernet0/0
description To Office FastEthernet
ip address 208.196.79.1 255.255.255.0
ip nat outside
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
interface Serial0/0
description To UUNET (wcomw0g73828)
bandwidth 1536
no ip address
ip nat inside
encapsulation frame-relay IETF
no ip route-cache
no ip mroute-cache
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
bandwidth 1536
ip unnumbered FastEthernet0/0
no ip unreachables
no ip route-cache
no ip mroute-cache
frame-relay interface-dlci 500 IETF
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
access-list 10 permit 192.168.0.0 0.0.255.255
snmp-server community 0473e54cf9 RO
snmp-server enable traps snmp
!
line con 0
password 1bb8be0cd3
login
transport preferred none
transport input none
line aux 0
password 1bb8be0cd3
login
modem InOut
transport preferred none
transport input all
transport output pad v120 telnet rlogin udptn
stopbits 1
flowcontrol hardware
line vty 0 4
password
login
transport preferred none
!
no scheduler allocate
end
Cisco-gw#
thanks,
That doesn't stop the traceroute though. Add this line in between the other 2:
access-list 101 deny udp any any gt 32768
access-list 101 deny udp any any gt 32768
ASKER
Great thanks for the help.......one more thing how would i block telnet to my router from the outside world....
would i add a line like this?
access-list 101 deny telnet any any echo
thanks!!!
would i add a line like this?
access-list 101 deny telnet any any echo
thanks!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A word of warning: The accepted solution would block all udp traffic with a high port number, which is a bit excessive. Another option would be to use:
access-list 101 deny icmp any any ttl-exceeded
access-list 101 deny icmp any any port-unreachable
access-list 101 deny icmp any any ttl-exceeded
access-list 101 deny icmp any any port-unreachable
access-list 101 deny icmp any any echo
access-list 101 permit ip any any
interface serial 0/0.1
ip access-group 101 in
Then try pinging it from the outside, and use result of "show access-list 101" and see the hitcount..
This configuration permits the returning echo-reply if you try to ping something else...