B1izzard
asked on
Cisco 831 block WAN ping
I am simply trying to block external pings to this device. I have tried multiple times without success. Here is my config.
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
ip ips po max-events 100
no ftp-server write-enable
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
ip address 173.160.167.10 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 173.160.167.14
!
no ip http server
no ip http secure-server
ip nat inside source list NAT-Permitted interface Ethernet1 overload
!
!
ip access-list extended NAT-Permitted
permit ip 192.168.1.0 0.0.0.255 any
deny icmp any any
deny ip any any
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input none
!
scheduler max-task-time 5000
end
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
ip ips po max-events 100
no ftp-server write-enable
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
ip address 173.160.167.10 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 173.160.167.14
!
no ip http server
no ip http secure-server
ip nat inside source list NAT-Permitted interface Ethernet1 overload
!
!
ip access-list extended NAT-Permitted
permit ip 192.168.1.0 0.0.0.255 any
deny icmp any any
deny ip any any
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input none
!
scheduler max-task-time 5000
end
hi
add the following ACL
access-list 111 deny icmp any any administratively-prohibite
access-list 111 deny icmp any any echo
access-list 111 deny icmp any any echo-reply
access-list 111 deny icmp any any packet-too-big
access-list 111 deny icmp any any time-exceeded
access-list 111 deny icmp any any traceroute
access-list 111 deny icmp any any unreachable
access-list 111 permit ip any any
interface Ethernet1
ip access-group 111 in
add the following ACL
access-list 111 deny icmp any any administratively-prohibite
access-list 111 deny icmp any any echo
access-list 111 deny icmp any any echo-reply
access-list 111 deny icmp any any packet-too-big
access-list 111 deny icmp any any time-exceeded
access-list 111 deny icmp any any traceroute
access-list 111 deny icmp any any unreachable
access-list 111 permit ip any any
interface Ethernet1
ip access-group 111 in
ASKER
I tried setting an access-list on the WAN interface from an EE example I saw, but then it didn't let anything in or out of the Cisco. I tried adding the following to my above config:
access-list 101 deny icmp any any
interface e1
ip access-group 101 in
access-list 101 deny icmp any any
interface e1
ip access-group 101 in
try the one i sent ...
you missed the permit ip any nay at the end
you missed the permit ip any nay at the end
ASKER
memo tnt, I posted at the same time so I didn't see yours 2 back. So I just tried it and it does work, the only problem is that I can't ping from inside > out. I would like to allow all clients to ping out to the internet if necessary. How is this done?
plz post your current configuration ..
ASKER
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip subnet-zero
!
ip inspect name outside icmp
ip ips po max-events 100
no ftp-server write-enable
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
ip address 173.160.167.10 255.255.255.248
ip access-group 111 in
ip nat outside
ip virtual-reassembly
duplex auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 173.160.167.14
!
no ip http server
no ip http secure-server
ip nat inside source list NAT-Permitted interface Ethernet1 overload
ip nat inside source static tcp 192.168.1.4 3389 173.160.167.10 3389 extendable
!
!
ip access-list extended NAT-Permitted
permit ip 192.168.1.0 0.0.0.255 any
deny icmp any any
deny ip any any
access-list 111 deny icmp any any administratively-prohibite
access-list 111 deny icmp any any echo
access-list 111 deny icmp any any echo-reply
access-list 111 deny icmp any any unreachable
access-list 111 deny icmp any any packet-too-big
access-list 111 deny icmp any any time-exceeded
access-list 111 deny icmp any any traceroute
access-list 111 permit ip any any
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password *********
login
transport input none
!
scheduler max-task-time 5000
end
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip subnet-zero
!
ip inspect name outside icmp
ip ips po max-events 100
no ftp-server write-enable
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
ip address 173.160.167.10 255.255.255.248
ip access-group 111 in
ip nat outside
ip virtual-reassembly
duplex auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 173.160.167.14
!
no ip http server
no ip http secure-server
ip nat inside source list NAT-Permitted interface Ethernet1 overload
ip nat inside source static tcp 192.168.1.4 3389 173.160.167.10 3389 extendable
!
!
ip access-list extended NAT-Permitted
permit ip 192.168.1.0 0.0.0.255 any
deny icmp any any
deny ip any any
access-list 111 deny icmp any any administratively-prohibite
access-list 111 deny icmp any any echo
access-list 111 deny icmp any any echo-reply
access-list 111 deny icmp any any unreachable
access-list 111 deny icmp any any packet-too-big
access-list 111 deny icmp any any time-exceeded
access-list 111 deny icmp any any traceroute
access-list 111 permit ip any any
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password *********
login
transport input none
!
scheduler max-task-time 5000
end
remove the following from ip access-list extended NAT-Permitted
as:
no ip access-list extended NAT-Permitted
then
ip access-list extended NAT-Permitted
permit ip 192.168.1.0 0.0.0.255 any
it will solve the issue
as:
no ip access-list extended NAT-Permitted
then
ip access-list extended NAT-Permitted
permit ip 192.168.1.0 0.0.0.255 any
it will solve the issue
ASKER
I took it out and added it back, but still same issue. Windows XP client gets 'Request timed out' when pinging 4.2.2.2.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi B1izzard
is it solved here ??
is it solved here ??
ASKER
Yes, that worked. I have no idea why, but I will have to read up on this. Thanks!
There are a couple of ways of doing this but it depends on the ios feature set that your using. If you have a firewall feature set you could use zone based firewall or CBAC (ip inspect). Otherwise you could set an access-list on the WAN interface.