Solved

How to block icmp messages with a cisco router

Posted on 2011-03-17
3
968 Views
Last Modified: 2012-05-11
We have some hosts or a host that seems to disconnect all the vpn client on my network.

I took a look at the server logs and here what is shows

22116      11:01:17.531532      MY_IP      DEST_IP      TCP      53025 > pptp [SYN]
Seq=0 Win=8192 Len=0 MSS=1460 WS=2 TSV=4447122 TSER=0

So it seems that some clients seend some icmp destination unreachable on the server. The server somehow close all the connections.

Is it possible to block those icmp send messages with a cisco 800 series.

Like deny icmp all all ? Is it going to work ??

Thanks
0
Comment
Question by:caclement
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35163053
What you see in the logs is not icmp-traffic, it is tcp-traffic to your pptp-port (1723). Unless you use pptp-based vpn you can simply block all incoming pptp-traffic.

access-list YOURINBOUNDACL deny tcp any SERVERIP eq 1723.

Best regards
Kvistofta
0
 

Accepted Solution

by:
caclement earned 0 total points
ID: 35191129
My messages dont show all the log and the wireshark packets, but i realy want to block sent icmp packets. I want to allow the PPTP and GRE tunels. Some bugged PPTP clients send some ICMP destination unreachable to remote  poptop and pptp linux server wich i do not own and control. The server close all the connection simultaneously.

I added the following ACL

access-list 101 deny icmp any any

It seems to works.
0
 

Author Closing Comment

by:caclement
ID: 35225383
access-list 101 deny icmp any any Blocks any ICMP sent messages.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IPv6 question 1 75
Problem to router 7 98
BGP prefix and routing 3 101
Block file sharing site (Dropbox, Google Drive) for only some users 10 88
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question