Unable to block a request from cisco router 5110

Unanswered Question
May 6th, 2007

Hi

We have 5 cisco routers in our company's network 2 1601 2 2110 and 1 ASA 5110 router and 5110 router is in communication with one of the 1610 routers and that 1610 routers directly connected to our isa server when i check isa server I always see that 5110 router trying to send something from 1478 port to ip adress of 255.255.255.255 first i thought its referring to subnet mask but i figured its an ip adress i tried to block the ip adress from 1610 router but the router doesn't block the ip adresses start with higher than 224.

Does anyone know any solution for this?

Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
b.hsu Fri, 05/11/2007 - 05:52

There are circumstances in which you want to control which broadcast packets and which protocols are forwarded. You do this with helper addresses and the forward-protocol commands. The ip helper-address interface subcommand tells the router to forward UDP broadcasts, including BootP, received on the interface. You remove the list with no ip helper-address. If you do not specify a helper address command, the router will not forward UDP broadcasts. The no version disables the forwarding of broadcast packets to specific addresses.

Richard Burts Fri, 05/11/2007 - 07:09

Tolga

If you want to block broadcast traffic from the ASA you can do that by including this in your access list:

deny ip host host 255.255.255.255

This will block all broadcast traffic with a source address of the ASA address.

HTH

Rick

tolgatanriverdi Sun, 05/13/2007 - 21:34

Am I going to include this to my ASA's access list or to router that ASA send broadcast to?

tolgatanriverdi Fri, 05/18/2007 - 04:32

I added the line like this but nothing happened

access-list 103 deny ip host 192.168.1.10 host 255.255.255.255

it still broadcasting and router is routing them

Richard Burts Fri, 05/18/2007 - 08:10

Tolga

The syntax looks correct. If it is not blocking the broadcast then we need to check a few things:

- can you verify that 192.168.1.10 is the source address in the broadcast packets?

- can you post the specifics of how you assign the access list to the interface and which interface it is assigned to?

- can you tell us what VLAN, subnet, and interface is the 5110 connected to and what VLAN, subnet, and interface the server is assigned to?

HTH

Rick

tolgatanriverdi Sun, 05/20/2007 - 22:34

Is it possible to add access-list rule to a spesific interface i thought they were global

so while I was in configure terminal mode i wrote

access-list 103 deny ip host 192.168.1.10 host 255.255.255.255

can i make it in different ways

and yes I'm sure its coming from that ip adress but the trick is this

192.168.1.10 is the ip of my asa router 192.168.1.135 sends broadcast to 192.168.1.10 and 192.168.1.10 send this broadcast to actual router with ip adress of 10.0.0.4 and there is a microsoft isa server behind 10.0.0.4 and when i looked to it it says 192.168.1.10 sends a broadcast packet

I want to prevent that packages come to actual router(10.0.0.4)

Thanks

Richard Burts Mon, 05/21/2007 - 03:22

Tolga

It certainly is possible to add an access list rule to a specific interface. You create the access list in global configuration and then you use interface configuration to assign the access list to the interface using ip access-group command. So in global configuration you could create access list 103 and in interface configuration you assign it to one interface. Then in global configuration you could create access list 105 and in interface configuration you could assign access list 105 to another interface. So each interface can have a unique access list.

It is very unusual for an ASA to receive a broadcast from one host and to forward that broadcast. Can you tell us what kind of IP packet this is?

I repeat some of the questions from my previous post. If you provide this information it may help us figure out better what is going on:

- can you post the specifics of how you assign the access list to the interface and which interface it is assigned to?

- can you tell us what VLAN, subnet, and interface is the 5110 connected to and what VLAN, subnet, and interface the server is assigned to?

HTH

Rick

Actions

This Discussion