Disable Wan ping

Unanswered Question
Jul 22nd, 2008

Hi,

How do i disable ping from internet on a Cisco 877? Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Tue, 07/22/2008 - 08:42

Colin

Is there an access list applied inbound on the interface of the 877 which connects to the Internet? If so add to that access list a line which says:

deny icmp any any echo-request

this will deny any inbound ping requests from the Internet.

HTH

Rick

Richard Burts Tue, 07/22/2008 - 10:09

Colin

If there are no access lists inbound on dialer 0 then I suggest that you configure this to deny ping from the internet:

access-list 101 deny icmp any any echo-request

access-list 101 permit ip any any

interface dialer 0

ip access-group 101 in

that will not allow any ping from the Internet and will allow everything else.

HTH

Rick

crmljc1976 Tue, 07/22/2008 - 10:51

Rick,

ive got one nat rule and access list permitting port 5900, and some other nat rules and access lists for an internal DVR server(These rules dont work, not sure why). All other traffic should be dropped. Pls see rules etc below.

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.0.5 2000 interface Dialer0 2000

ip nat inside source static udp 192.168.0.5 2000 interface Dialer0 2000

ip nat inside source static tcp 192.168.0.5 2002 interface Dialer0 2002

ip nat inside source static udp 192.168.0.5 2002 interface Dialer0 2002

ip nat inside source static tcp 192.168.0.5 2003 interface Dialer0 2003

ip nat inside source static udp 192.168.0.5 2003 interface Dialer0 2003

ip nat inside source static tcp 192.168.0.5 2006 interface Dialer0 2006

ip nat inside source static udp 192.168.0.5 2006 interface Dialer0 2006

ip nat inside source static tcp 192.168.0.5 3001 interface Dialer0 3001

ip nat inside source static udp 192.168.0.5 3001 interface Dialer0 3001

ip nat inside source static tcp 192.168.0.5 5900 interface Dialer0 5900

ip nat inside source list 2 interface Dialer0 overload

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 2 permit 10.0.5.0 0.0.0.255

access-list 101 permit tcp any host 192.168.0.5 eq 5900

access-list 103 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255

access-list 104 permit tcp any host 192.168.0.5 eq 2000

access-list 104 permit udp any host 192.168.0.5 eq 2000

access-list 105 permit tcp any host 192.168.0.5 eq 2002

access-list 105 permit udp any host 192.168.0.5 eq 2002

access-list 106 permit udp any host 192.168.0.5 eq 2003

access-list 106 permit tcp any host 192.168.0.5 eq 2003

access-list 107 permit tcp any host 192.168.0.5 eq 2006

access-list 107 permit udp any host 192.168.0.5 eq 2006

access-list 108 permit udp any host 192.168.0.5 eq 3001

access-list 108 permit tcp any host 192.168.0.5 eq 3001

Richard Burts Tue, 07/22/2008 - 11:11

Colin

The first post was pretty simple and was about how to deny ping from the Internet. This post is significantly more complex and about something very different. Without seeing the config from the router we would not be able to comment correctly on the access lists or on why the translation rules are not working.

HTH

Rick

Rick Morris Tue, 07/22/2008 - 11:20

As Rick indicated you post more info that is not exactly related to the first post.

If you take the config and then apply it to the interface you will deny inbound ICMP

In order to know for sure you need to post the config for the outside interface you are using to know what is applied currently. It may just be a few more lines of config to already existing acl.

crmljc1976 Wed, 07/23/2008 - 03:42

Here's the config. The aim is to allow only VNC and the dvr ports (TCP/UDP 2000,2002,2003,2006,3001) to 192.168.0.5, all other traffic should be dropped. Can you help, thanks

Current configuration : 4067 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret xxx

!

no aaa new-model

!

!

dot11 syslog

!

dot11 ssid vhwlan

authentication open

guest-mode

wpa-psk ascii 0 s1lv3r2005

!

ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip name-server 194.74.65.68

ip name-server 194.74.65.69

!

!

!

!

!

!

archive

log config

hidekeys

!

!

!

bridge irb

!

!

interface ATM0

no ip address

atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

!

ssid vhwlan

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0

54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1380

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname xxxxxxx

ppp chap password 0 xxxxxx

crypto map ipsec-remoteoffice

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 10.0.5.0 255.255.255.0 192.168.0.2

!

no ip http server

no ip http secure-server

ip dns server

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.0.5 2000 interface Dialer0 2000

ip nat inside source static udp 192.168.0.5 2000 interface Dialer0 2000

ip nat inside source static tcp 192.168.0.5 2002 interface Dialer0 2002

ip nat inside source static udp 192.168.0.5 2002 interface Dialer0 2002

ip nat inside source static tcp 192.168.0.5 2003 interface Dialer0 2003

ip nat inside source static udp 192.168.0.5 2003 interface Dialer0 2003

ip nat inside source static tcp 192.168.0.5 2006 interface Dialer0 2006

ip nat inside source static udp 192.168.0.5 2006 interface Dialer0 2006

ip nat inside source static tcp 192.168.0.5 3001 interface Dialer0 3001

ip nat inside source static udp 192.168.0.5 3001 interface Dialer0 3001

ip nat inside source static tcp 192.168.0.5 5900 interface Dialer0 5900

ip nat inside source list 2 interface Dialer0 overload

ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 2 permit 10.0.5.0 0.0.0.255

access-list 101 permit tcp any host 192.168.0.5 eq 5900

access-list 103 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255

access-list 104 permit tcp any host 192.168.0.5 eq 2000

access-list 104 permit udp any host 192.168.0.5 eq 2000

access-list 105 permit tcp any host 192.168.0.5 eq 2002

access-list 105 permit udp any host 192.168.0.5 eq 2002

access-list 106 permit udp any host 192.168.0.5 eq 2003

access-list 106 permit tcp any host 192.168.0.5 eq 2003

access-list 107 permit tcp any host 192.168.0.5 eq 2006

access-list 107 permit udp any host 192.168.0.5 eq 2006

access-list 108 permit udp any host 192.168.0.5 eq 3001

access-list 108 permit tcp any host 192.168.0.5 eq 3001

access-list 109 permit tcp any host 192.168.0.2 eq 3389

Actions

This Discussion