Solved

How to block icmp messages with a cisco router

Posted on 2011-03-17
3
965 Views
Last Modified: 2012-05-11
We have some hosts or a host that seems to disconnect all the vpn client on my network.

I took a look at the server logs and here what is shows

22116      11:01:17.531532      MY_IP      DEST_IP      TCP      53025 > pptp [SYN]
Seq=0 Win=8192 Len=0 MSS=1460 WS=2 TSV=4447122 TSER=0

So it seems that some clients seend some icmp destination unreachable on the server. The server somehow close all the connections.

Is it possible to block those icmp send messages with a cisco 800 series.

Like deny icmp all all ? Is it going to work ??

Thanks
0
Comment
Question by:caclement
  • 2
3 Comments
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35163053
What you see in the logs is not icmp-traffic, it is tcp-traffic to your pptp-port (1723). Unless you use pptp-based vpn you can simply block all incoming pptp-traffic.

access-list YOURINBOUNDACL deny tcp any SERVERIP eq 1723.

Best regards
Kvistofta
0
 

Accepted Solution

by:
caclement earned 0 total points
ID: 35191129
My messages dont show all the log and the wireshark packets, but i realy want to block sent icmp packets. I want to allow the PPTP and GRE tunels. Some bugged PPTP clients send some ICMP destination unreachable to remote  poptop and pptp linux server wich i do not own and control. The server close all the connection simultaneously.

I added the following ACL

access-list 101 deny icmp any any

It seems to works.
0
 

Author Closing Comment

by:caclement
ID: 35225383
access-list 101 deny icmp any any Blocks any ICMP sent messages.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question