rfonewatt
asked on
Block ICMP traffic on Cisco 3660 interfaces & SSH
I would like to disable ping responses on all interfaces of the following router. I'm assuming I need to block ICMP with access lists applied to the interfaces but since it's a multi-link frame relay config I'm wondering if I need to apply it to both serial and all Ethernet interfaces?
I would also like to configure SSH on this router. Do I need to upgrade my IOS?
Thanks for your time!!
Router Info:
Cisco IOS Software, 3600 Software (C3660-JS-M), Version 12.4(7), RELEASE SOFTWARE (fc6)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Tue 28-Feb-06 21:28 by alnguyen
ROM: System Bootstrap, Version 12.0(6r)T, RELEASE SOFTWARE (fc1)
xxrouterxx uptime is 5 days, 19 hours, 17 minutes
System returned to ROM by power-on
System restarted at 16:54:48 EST Tue Jan 23 2007
System image file is "flash:c3660-js-mz.124-7.b in"
Cisco 3660 (R527x) processor (revision 1.0) with 118784K/12288K bytes of memory.
Processor board ID JMX0633L4QW
R527x CPU at 225MHz, Implementation 40, Rev 10.0, 2048KB L2 Cache
3660 Chassis type: ENTERPRISE
2 FastEthernet interfaces
2 Serial interfaces
4 ATM interfaces
DRAM configuration is 64 bits wide with parity disabled.
125K bytes of NVRAM.
32768K bytes of processor board System flash (Read/Write)
16384K bytes of processor board PCMCIA Slot0 flash (Read/Write)
Configuration register is 0x2102
I would also like to configure SSH on this router. Do I need to upgrade my IOS?
Thanks for your time!!
Router Info:
Cisco IOS Software, 3600 Software (C3660-JS-M), Version 12.4(7), RELEASE SOFTWARE (fc6)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Tue 28-Feb-06 21:28 by alnguyen
ROM: System Bootstrap, Version 12.0(6r)T, RELEASE SOFTWARE (fc1)
xxrouterxx uptime is 5 days, 19 hours, 17 minutes
System returned to ROM by power-on
System restarted at 16:54:48 EST Tue Jan 23 2007
System image file is "flash:c3660-js-mz.124-7.b
Cisco 3660 (R527x) processor (revision 1.0) with 118784K/12288K bytes of memory.
Processor board ID JMX0633L4QW
R527x CPU at 225MHz, Implementation 40, Rev 10.0, 2048KB L2 Cache
3660 Chassis type: ENTERPRISE
2 FastEthernet interfaces
2 Serial interfaces
4 ATM interfaces
DRAM configuration is 64 bits wide with parity disabled.
125K bytes of NVRAM.
32768K bytes of processor board System flash (Read/Write)
16384K bytes of processor board PCMCIA Slot0 flash (Read/Write)
Configuration register is 0x2102
ASKER
What are the commands to accomplish this?
Can you send me the URL to the image I need?
Thanks!!!
Can you send me the URL to the image I need?
Thanks!!!
As far as the image, unless you have support from Cisco you will have to purchase the IOS, a URL won't work.
For the list, the simplest thing is to block ping to everything- then the reply won't happen:
access-list 100 deny icmp any any echo
access-list 100 permit ip any any
interface serial 0/0.100
ip access-group 100 in
interface serial 0/0.101
ip access-group 100 in
etc. This list will block pings inbound, but everyone on the LAN will still be able to ping out AS LONG AS IT'S APPLIED TO THE SERIAL INTERFACES ONLY. If you apply it to the LAN interface then no one will be able to ping outside of the LAN. There is an implicit deny at the end of every list, meaning that if you don't permit everything else, it will deny everything else.
For the list, the simplest thing is to block ping to everything- then the reply won't happen:
access-list 100 deny icmp any any echo
access-list 100 permit ip any any
interface serial 0/0.100
ip access-group 100 in
interface serial 0/0.101
ip access-group 100 in
etc. This list will block pings inbound, but everyone on the LAN will still be able to ping out AS LONG AS IT'S APPLIED TO THE SERIAL INTERFACES ONLY. If you apply it to the LAN interface then no one will be able to ping outside of the LAN. There is an implicit deny at the end of every list, meaning that if you don't permit everything else, it will deny everything else.
ASKER
That's exactly what I'm looking to accomplish. I do have Cisco support but I'd rather ask you guys. ;)
Do I need to apply the access list to the MFR link(s) as well?
Thanks!!
I've added the following to my configuration and can still ping the router from the net.
!
access-list 100 deny icmp any any echo
access-list 100 permit ip any any
!
!
interface Serial6/0
description WAN1 - HCGS.XXXX
no ip address
ip access-group 100 in
no ip redirects
no ip unreachables
encapsulation frame-relay MFR1
service-module t1 timeslots 1-24
no arp frame-relay
frame-relay multilink lid first-link
!
interface Serial6/1
description WAN2 - HCGS.XXXXX
no ip address
ip access-group 100 in
no ip redirects
no ip unreachables
encapsulation frame-relay MFR1
service-module t1 timeslots 1-24
no arp frame-relay
frame-relay multilink lid second-link
!
!
interface MFR1
description Frame Relay Bundle
no ip address
no ip redirects
no ip unreachables
frame-relay multilink bid first bundle
frame-relay lmi-type ansi
!
interface MFR1.1 point-to-point
ip address 66.XXX.XXX.XX 255.255.254.0
no ip redirects
no ip unreachables
frame-relay interface-dlci 257 IETF
Do I need to apply the access list to the MFR link(s) as well?
Thanks!!
I've added the following to my configuration and can still ping the router from the net.
!
access-list 100 deny icmp any any echo
access-list 100 permit ip any any
!
!
interface Serial6/0
description WAN1 - HCGS.XXXX
no ip address
ip access-group 100 in
no ip redirects
no ip unreachables
encapsulation frame-relay MFR1
service-module t1 timeslots 1-24
no arp frame-relay
frame-relay multilink lid first-link
!
interface Serial6/1
description WAN2 - HCGS.XXXXX
no ip address
ip access-group 100 in
no ip redirects
no ip unreachables
encapsulation frame-relay MFR1
service-module t1 timeslots 1-24
no arp frame-relay
frame-relay multilink lid second-link
!
!
interface MFR1
description Frame Relay Bundle
no ip address
no ip redirects
no ip unreachables
frame-relay multilink bid first bundle
frame-relay lmi-type ansi
!
interface MFR1.1 point-to-point
ip address 66.XXX.XXX.XX 255.255.254.0
no ip redirects
no ip unreachables
frame-relay interface-dlci 257 IETF
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ahhh! Gotcha. I only had to apply it to MFR1.1 and it works perfectly now.
What is the URL to the IOS image I should use?
Also, what are the commands to configure SSH once I upgrade the router?
Thanks for your time!!
What is the URL to the IOS image I should use?
Also, what are the commands to configure SSH once I upgrade the router?
Thanks for your time!!
The image you want is c3660-jk9s-mz.124-12.bin. However, That requires 64MB of flash and you only have 32 at the moment. Or you could back down to 12.3 and use c3660-jk9s-mz.123-22.bin , which only needs 32MB.
Start here to find what you want:
http://www.cisco.com/kobayashi/sw-center/sw-ios.shtml
Start here to find what you want:
http://www.cisco.com/kobayashi/sw-center/sw-ios.shtml
ASKER
Thank you very much!
I really appreciate your help. :)
I really appreciate your help. :)
you're welcome!
In answer to your question about turning on ssh, all you do is make sure you have a domain name and then create the key:
ip domain-name domain.com
crypto key gen rsa
In answer to your question about turning on ssh, all you do is make sure you have a domain name and then create the key:
ip domain-name domain.com
crypto key gen rsa
You do need to upgrade your router software for ssh. The correct image will have a "k" in it.