Deny ICMP to Edge Router

Unanswered Question
Jan 19th, 2008

I am looking for an ACL I can put on my edge router to deny ICMP and telnet to my WAN port. The network has an internal firewall that is protecting the network but I think I should also deny access to my router from the outside. thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Mon, 01/21/2008 - 09:52

Along with Jorges link, here's an ACL that conforms to DIACAP certification.

ip access-list extended [ACL Name]

remark Allow BGP

permit tcp host [BGP Neighbor] eq bgp host [Local BGP Interface]

permit tcp host [BGP Neighbor] host [Local BGP Interface] eq bgp

remark Deny Historical Broadcast

deny ip 0.0.0.0 0.255.255.255 any log

remark Broadcast

deny ip host 255.255.255.255 any log

remark Local Host

deny ip 127.0.0.0 0.255.255.255 any log

remark Private Network

deny ip 10.0.0.0 0.255.255.255 any log

remark Link Local Networks

deny ip 169.254.0.0 0.0.255.255 any log

remark Test Net

deny ip 192.0.2.0 0.0.0.255 any log

remark Private Network

deny ip 192.168.0.0 0.0.255.255 any log

remark Class D Reserved

deny ip 224.0.0.0 15.255.255.255 any log

remark Class E Reserved

deny ip 240.0.0.0 15.255.255.255 any log

remark Private Network

deny ip 172.16.0.0 0.15.255.255 any log

remark HP Printer Default IP Address

deny ip 192.0.0.0 0.0.0.255 any log

remark IANA NS Lab

deny ip 192.0.127.0 0.0.0.255 any log

remark IANA Reserved

deny ip 192.0.0.0 0.0.0.128 any log

remark Unallocated / IANA Reserved

deny ip 1.0.0.0 0.255.255.255 any log

deny ip 2.0.0.0 0.255.255.255 any log

deny ip 5.0.0.0 0.255.255.255 any log

deny ip 7.0.0.0 0.255.255.255 any log

deny ip 23.0.0.0 0.255.255.255 any log

deny ip 27.0.0.0 0.255.255.255 any log

deny ip 31.0.0.0 0.255.255.255 any log

deny ip 36.0.0.0 0.255.255.255 any log

deny ip 37.0.0.0 0.255.255.255 any log

deny ip 39.0.0.0 0.255.255.255 any log

deny ip 42.0.0.0 0.255.255.255 any log

deny ip 77.0.0.0 0.255.255.255 any log

deny ip 78.0.0.0 0.255.255.255 any log

deny ip 79.0.0.0 0.255.255.255 any log

deny ip 92.0.0.0 0.255.255.255 any log

deny ip 180.0.0.0 0.255.255.255 any log

deny ip 197.0.0.0 0.255.255.255 any log

deny ip 255.0.0.0 0.255.255.255 any log

remark Inbound from Own Subnet

deny ip [Your Public Address Space] any log

remark Block Traceroute

deny ip any any option traceroute log

deny tcp any any eq 27665 log

deny udp any any eq 31335 log

deny udp any any eq 27444 log

deny udp any any eq 31337 log

deny udp any any eq 31338 log

deny tcp any any eq 16660 log

deny tcp any any eq 65000 log

deny tcp any any eq 33270 log

deny tcp any any eq 39168 log

deny tcp any any eq 47017 log

deny tcp any any range 6711 6712 log

deny tcp any any eq 6776 log

deny tcp any any eq 6669 log

deny tcp any any eq 2222 log

deny tcp any any eq 7000 log

deny tcp any any eq 65301 log

remark Allow Specific ICMP

permit icmp any host [Local Host for ICMP] echo

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

remark Deny all other ICMP

deny icmp any any log

remark Allow Traffic to Public Network

permit ip any [Your Public Address Space]

remark Deny all other Traffic

deny ip any any log

This does change occasionally, the most recent version is always at

http://kb.packetpros.com/?View=entry&EntryID=10

HTH

Actions

This Discussion