Solved

How to block ICMP port 512 via ACL?

Posted on 2004-10-28
2,461 Views
Last Modified: 2008-01-09
Is it possible to block Protocal ICMP port 512 with an ACL? If not, how can it be blocked?

Partial ACL listed below, it is applied at the public INT (66.x.66.x) Inbound

R3Gateway#show ip access-lists complete_bogon_v2_5b
Extended IP access list complete_bogon_v2_5b
.
.
.
deny ip 172.16.0.0 0.15.255.255 any (240 matches)
.
.
.
deny ip 192.168.0.0 0.0.255.255 any
permit tcp any any established (142025 matches)
permit udp any eq ntp any (6477 matches)
permit udp any eq domain host 66.x.66.x (2206 matches)
permit udp any host 66.x.66.x eq domain (154 matches)
permit tcp any host 66.x.66.x eq domain (98 matches)
permit tcp any host 66.x.66.x eq www (40 matches)
deny ip any any log-input (4002 matches)

When I do a Show IP NAT translations I get the following output

Pro Inside global      Inside local       Outside local      Outside global
icmp 66.x.66.x:512   172.x.13.x:512   192.168.183.1:512  192.168.183.1:512
icmp 66.x.66.x:512   172.x.13.x:512   192.168.112.1:512  192.168.112.1:512

I would like to block this, but I do not see, or know a way for a specific ICMP port 512.

Is it possible to know if this traffic was initiated from indoe going out, or from outside coming in?

Thanks

0
Question by:orbix
    3 Comments
     
    LVL 79

    Accepted Solution

    by:
    The traffic has to be initiated from the inside.
    You can block that this way:
       access-list 109 deny icmp any any
       access-list 109 permit ip any any
       
       interface fast 0/0
         ip access-group 109 in

    0
     

    Author Comment

    by:orbix
    I have made those changes, thanks. With regard to appling the ACL IN or OUT. How do you determin what way to apply the ACL?

    Is "IN" considered any traffic entering the int from either side, ISP --> Int FA 0/0 <-- Int E 3/2
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Apply this "in" on the interface closest to the users.
    If users are conected to E 3/2 and FA 0/0 is connection to the ISP, then apply it "in" on the E 3/2 interface.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Shellfire Box VPN + Lifetime Subscription

    The Shellfire Box easily connects all of your devices, even those that don't offer the possibility to establish a safe vpn connection. Access blocked content and surf safely, no matter where in the world you are located.

    Suggested Solutions

    In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
    I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now