Unable to block a request from cisco router 5110

Unanswered Question
May 6th, 2007
User Badges:

Hi

We have 5 cisco routers in our company's network 2 1601 2 2110 and 1 ASA 5110 router and 5110 router is in communication with one of the 1610 routers and that 1610 routers directly connected to our isa server when i check isa server I always see that 5110 router trying to send something from 1478 port to ip adress of 255.255.255.255 first i thought its referring to subnet mask but i figured its an ip adress i tried to block the ip adress from 1610 router but the router doesn't block the ip adresses start with higher than 224.

Does anyone know any solution for this?

Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
b.hsu Fri, 05/11/2007 - 05:52
User Badges:
  • Silver, 250 points or more

There are circumstances in which you want to control which broadcast packets and which protocols are forwarded. You do this with helper addresses and the forward-protocol commands. The ip helper-address interface subcommand tells the router to forward UDP broadcasts, including BootP, received on the interface. You remove the list with no ip helper-address. If you do not specify a helper address command, the router will not forward UDP broadcasts. The no version disables the forwarding of broadcast packets to specific addresses.


Richard Burts Fri, 05/11/2007 - 07:09
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tolga


If you want to block broadcast traffic from the ASA you can do that by including this in your access list:

deny ip host host 255.255.255.255

This will block all broadcast traffic with a source address of the ASA address.


HTH


Rick

tolgatanriverdi Sun, 05/13/2007 - 21:34
User Badges:

Am I going to include this to my ASA's access list or to router that ASA send broadcast to?

Richard Burts Mon, 05/14/2007 - 08:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tolga


You would include this in the access list on the router.


HTH


Rick

tolgatanriverdi Fri, 05/18/2007 - 04:32
User Badges:

I added the line like this but nothing happened


access-list 103 deny ip host 192.168.1.10 host 255.255.255.255


it still broadcasting and router is routing them

Richard Burts Fri, 05/18/2007 - 08:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tolga


The syntax looks correct. If it is not blocking the broadcast then we need to check a few things:

- can you verify that 192.168.1.10 is the source address in the broadcast packets?

- can you post the specifics of how you assign the access list to the interface and which interface it is assigned to?

- can you tell us what VLAN, subnet, and interface is the 5110 connected to and what VLAN, subnet, and interface the server is assigned to?


HTH


Rick

tolgatanriverdi Sun, 05/20/2007 - 22:34
User Badges:

Is it possible to add access-list rule to a spesific interface i thought they were global

so while I was in configure terminal mode i wrote

access-list 103 deny ip host 192.168.1.10 host 255.255.255.255


can i make it in different ways

and yes I'm sure its coming from that ip adress but the trick is this

192.168.1.10 is the ip of my asa router 192.168.1.135 sends broadcast to 192.168.1.10 and 192.168.1.10 send this broadcast to actual router with ip adress of 10.0.0.4 and there is a microsoft isa server behind 10.0.0.4 and when i looked to it it says 192.168.1.10 sends a broadcast packet

I want to prevent that packages come to actual router(10.0.0.4)


Thanks

Richard Burts Mon, 05/21/2007 - 03:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tolga


It certainly is possible to add an access list rule to a specific interface. You create the access list in global configuration and then you use interface configuration to assign the access list to the interface using ip access-group command. So in global configuration you could create access list 103 and in interface configuration you assign it to one interface. Then in global configuration you could create access list 105 and in interface configuration you could assign access list 105 to another interface. So each interface can have a unique access list.


It is very unusual for an ASA to receive a broadcast from one host and to forward that broadcast. Can you tell us what kind of IP packet this is?


I repeat some of the questions from my previous post. If you provide this information it may help us figure out better what is going on:

- can you post the specifics of how you assign the access list to the interface and which interface it is assigned to?

- can you tell us what VLAN, subnet, and interface is the 5110 connected to and what VLAN, subnet, and interface the server is assigned to?


HTH


Rick

Actions

This Discussion