Solved

how to block icmp and traceroute requests on cisco 2600 router

Posted on 2004-10-06
5
12,881 Views
Last Modified: 2011-02-12
Hi all,

Can someone help me with blocking all ping and traceroute requests that are sent to our external router from the internet?

Here is my current configuration...

Building configuration...


!
!
!
!
ip subnet-zero
no ip finger
ip domain-name ALTER.NET
ip name-server 198.6.1.5
!
!
!
!
interface FastEthernet0/0
 description To Office FastEthernet
 ip address 208.196.79.1 255.255.255.0
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Serial0/0
 description To UUNET (wcomw0g73828)
 bandwidth 1536
 no ip address
 ip nat inside
 encapsulation frame-relay IETF
 no ip route-cache
 no ip mroute-cache
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 bandwidth 1536
 ip unnumbered FastEthernet0/0
 no ip unreachables
 no ip route-cache
 no ip mroute-cache
 frame-relay interface-dlci 500 IETF
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
access-list 10 permit 192.168.0.0 0.0.255.255
snmp-server community 0473e54cf9 RO
snmp-server enable traps snmp
!
line con 0
 password 1bb8be0cd3
 login
 transport preferred none
 transport input none
line aux 0
 password 1bb8be0cd3
 login
 modem InOut
 transport preferred none
 transport input all
 transport output pad v120 telnet rlogin udptn
 stopbits 1
 flowcontrol hardware
line vty 0 4
 password
 login
 transport preferred none
!
no scheduler allocate
end

Cisco-gw#


thanks,

0
Comment
Question by:holdebalance
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12240528
Easy enough...

access-list 101 deny icmp any any echo
access-list 101 permit ip any any

interface serial 0/0.1
  ip access-group 101 in

Then try pinging it from the outside, and use result of "show access-list 101" and see the hitcount..

This configuration permits the returning echo-reply if you try to ping something else...


 
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 12241667
That doesn't stop the traceroute though. Add this line in between the other 2:
access-list 101 deny udp any any gt 32768
0
 

Author Comment

by:holdebalance
ID: 12258090
Great thanks for the help.......one more thing how would i block telnet to my router from the outside world....

would i add a line like this?

access-list 101 deny telnet any any echo


thanks!!!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 12258130
almost
   access-list 101 deny tcp any host 208.196.79.1 eq telnet
   access-list 101 deny icmp any any echo
   access-list 101 deny udp any any gt 32768
   access-list 101 permit ip any any

Order is important, make sure that the permit any any is always last.



0
 
LVL 3

Expert Comment

by:davdjevans
ID: 26543809
A word of warning: The accepted solution would block all udp traffic with a high port number, which is a bit excessive. Another option would be to use:
     access-list 101 deny icmp any any ttl-exceeded
     access-list 101 deny icmp any any port-unreachable
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question