Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 598
  • Last Modified:

Cisco 831 block WAN ping

I am simply trying to block external pings to this device.  I have tried multiple times without success.  Here is my config.

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
ip ips po max-events 100
no ftp-server write-enable
!
interface Ethernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Ethernet1
 ip address 173.160.167.10 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 173.160.167.14
!
no ip http server
no ip http secure-server
ip nat inside source list NAT-Permitted interface Ethernet1 overload
!
!
ip access-list extended NAT-Permitted
 permit ip 192.168.1.0 0.0.0.255 any
 deny   icmp any any
 deny ip any any
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
  login
 transport input none
!
scheduler max-task-time 5000
end
0
B1izzard
Asked:
B1izzard
  • 6
  • 5
1 Solution
 
rochey2009Commented:
Hi,

There are a couple of ways of doing this but it depends on the ios feature set that your using. If you have a firewall feature set you could use zone based firewall or CBAC (ip inspect). Otherwise you could set an access-list on the WAN interface.
0
 
memo_tntCommented:
hi

add the following ACL

access-list 111 deny icmp any any administratively-prohibited
access-list 111 deny icmp any any echo
access-list 111 deny icmp any any echo-reply
access-list 111 deny icmp any any packet-too-big
access-list 111 deny icmp any any time-exceeded
access-list 111 deny icmp any any traceroute
access-list 111 deny icmp any any unreachable
access-list 111 permit   ip any any


interface Ethernet1
ip access-group 111 in
0
 
B1izzardAuthor Commented:
I tried setting an access-list on the WAN interface from an EE example I saw, but then it didn't let anything in or out of the Cisco.  I tried adding the following to my above config:

access-list 101 deny icmp any any
interface e1
ip access-group 101 in
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
memo_tntCommented:
try the one i sent ...
you missed the permit ip any nay at the end
0
 
B1izzardAuthor Commented:
memo tnt, I posted at the same time so I didn't see yours 2 back.  So I just tried it and it does work, the only problem is that I can't ping from inside > out.  I would like to allow all clients to ping out to the internet if necessary.  How is this done?
0
 
memo_tntCommented:
plz post your current configuration ..
0
 
B1izzardAuthor Commented:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip subnet-zero
!
ip inspect name outside icmp
ip ips po max-events 100
no ftp-server write-enable
!
interface Ethernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Ethernet1
 ip address 173.160.167.10 255.255.255.248
 ip access-group 111 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 173.160.167.14
!
no ip http server
no ip http secure-server
ip nat inside source list NAT-Permitted interface Ethernet1 overload
ip nat inside source static tcp 192.168.1.4 3389 173.160.167.10 3389 extendable
!
!
ip access-list extended NAT-Permitted
 permit ip 192.168.1.0 0.0.0.255 any
 deny   icmp any any
 deny   ip any any
access-list 111 deny   icmp any any administratively-prohibited
access-list 111 deny   icmp any any echo
access-list 111 deny   icmp any any echo-reply
access-list 111 deny   icmp any any unreachable
access-list 111 deny   icmp any any packet-too-big
access-list 111 deny   icmp any any time-exceeded
access-list 111 deny   icmp any any traceroute
access-list 111 permit ip any any
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password *********
 login
 transport input none
!
scheduler max-task-time 5000
end
0
 
memo_tntCommented:
remove the following from ip access-list extended NAT-Permitted
as:


no ip access-list extended NAT-Permitted

then
ip access-list extended NAT-Permitted
 permit ip 192.168.1.0 0.0.0.255 any

it will solve the issue
0
 
B1izzardAuthor Commented:
I took it out and added it back, but still same issue.  Windows XP client gets 'Request timed out' when pinging 4.2.2.2.  
0
 
memo_tntCommented:
hi

use this one

access-list 111 deny   icmp any any echo
access-list 111 permit  icmp any any
access-list 111 permit  ip any any

interface Ethernet1

 ip access-group 111 in

BEst Regards
0
 
memo_tntCommented:
Hi B1izzard

is it solved here ??


0
 
B1izzardAuthor Commented:
Yes, that worked.  I have no idea why, but I will have to read up on this.  Thanks!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now