Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to block ICMP port 512 via ACL?

Posted on 2004-10-28
3
Medium Priority
?
2,560 Views
Last Modified: 2008-01-09
Is it possible to block Protocal ICMP port 512 with an ACL? If not, how can it be blocked?

Partial ACL listed below, it is applied at the public INT (66.x.66.x) Inbound

R3Gateway#show ip access-lists complete_bogon_v2_5b
Extended IP access list complete_bogon_v2_5b
.
.
.
deny ip 172.16.0.0 0.15.255.255 any (240 matches)
.
.
.
deny ip 192.168.0.0 0.0.255.255 any
permit tcp any any established (142025 matches)
permit udp any eq ntp any (6477 matches)
permit udp any eq domain host 66.x.66.x (2206 matches)
permit udp any host 66.x.66.x eq domain (154 matches)
permit tcp any host 66.x.66.x eq domain (98 matches)
permit tcp any host 66.x.66.x eq www (40 matches)
deny ip any any log-input (4002 matches)

When I do a Show IP NAT translations I get the following output

Pro Inside global      Inside local       Outside local      Outside global
icmp 66.x.66.x:512   172.x.13.x:512   192.168.183.1:512  192.168.183.1:512
icmp 66.x.66.x:512   172.x.13.x:512   192.168.112.1:512  192.168.112.1:512

I would like to block this, but I do not see, or know a way for a specific ICMP port 512.

Is it possible to know if this traffic was initiated from indoe going out, or from outside coming in?

Thanks

0
Comment
Question by:orbix
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 12441016
The traffic has to be initiated from the inside.
You can block that this way:
   access-list 109 deny icmp any any
   access-list 109 permit ip any any
   
   interface fast 0/0
     ip access-group 109 in

0
 

Author Comment

by:orbix
ID: 12446556
I have made those changes, thanks. With regard to appling the ACL IN or OUT. How do you determin what way to apply the ACL?

Is "IN" considered any traffic entering the int from either side, ISP --> Int FA 0/0 <-- Int E 3/2
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12446924
Apply this "in" on the interface closest to the users.
If users are conected to E 3/2 and FA 0/0 is connection to the ISP, then apply it "in" on the E 3/2 interface.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question