07-22-2008 08:15 AM - edited 03-03-2019 10:50 PM
Hi,
How do i disable ping from internet on a Cisco 877? Thanks.
07-22-2008 08:42 AM
Colin
Is there an access list applied inbound on the interface of the 877 which connects to the Internet? If so add to that access list a line which says:
deny icmp any any echo-request
this will deny any inbound ping requests from the Internet.
HTH
Rick
07-22-2008 09:57 AM
there are no access lists applied inbound to dialer0.
07-22-2008 10:09 AM
Colin
If there are no access lists inbound on dialer 0 then I suggest that you configure this to deny ping from the internet:
access-list 101 deny icmp any any echo-request
access-list 101 permit ip any any
interface dialer 0
ip access-group 101 in
that will not allow any ping from the Internet and will allow everything else.
HTH
Rick
07-22-2008 10:51 AM
Rick,
ive got one nat rule and access list permitting port 5900, and some other nat rules and access lists for an internal DVR server(These rules dont work, not sure why). All other traffic should be dropped. Pls see rules etc below.
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.5 2000 interface Dialer0 2000
ip nat inside source static udp 192.168.0.5 2000 interface Dialer0 2000
ip nat inside source static tcp 192.168.0.5 2002 interface Dialer0 2002
ip nat inside source static udp 192.168.0.5 2002 interface Dialer0 2002
ip nat inside source static tcp 192.168.0.5 2003 interface Dialer0 2003
ip nat inside source static udp 192.168.0.5 2003 interface Dialer0 2003
ip nat inside source static tcp 192.168.0.5 2006 interface Dialer0 2006
ip nat inside source static udp 192.168.0.5 2006 interface Dialer0 2006
ip nat inside source static tcp 192.168.0.5 3001 interface Dialer0 3001
ip nat inside source static udp 192.168.0.5 3001 interface Dialer0 3001
ip nat inside source static tcp 192.168.0.5 5900 interface Dialer0 5900
ip nat inside source list 2 interface Dialer0 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 10.0.5.0 0.0.0.255
access-list 101 permit tcp any host 192.168.0.5 eq 5900
access-list 103 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 104 permit tcp any host 192.168.0.5 eq 2000
access-list 104 permit udp any host 192.168.0.5 eq 2000
access-list 105 permit tcp any host 192.168.0.5 eq 2002
access-list 105 permit udp any host 192.168.0.5 eq 2002
access-list 106 permit udp any host 192.168.0.5 eq 2003
access-list 106 permit tcp any host 192.168.0.5 eq 2003
access-list 107 permit tcp any host 192.168.0.5 eq 2006
access-list 107 permit udp any host 192.168.0.5 eq 2006
access-list 108 permit udp any host 192.168.0.5 eq 3001
access-list 108 permit tcp any host 192.168.0.5 eq 3001
07-22-2008 11:11 AM
Colin
The first post was pretty simple and was about how to deny ping from the Internet. This post is significantly more complex and about something very different. Without seeing the config from the router we would not be able to comment correctly on the access lists or on why the translation rules are not working.
HTH
Rick
07-22-2008 11:20 AM
As Rick indicated you post more info that is not exactly related to the first post.
If you take the config and then apply it to the interface you will deny inbound ICMP
In order to know for sure you need to post the config for the outside interface you are using to know what is applied currently. It may just be a few more lines of config to already existing acl.
07-23-2008 03:42 AM
Here's the config. The aim is to allow only VNC and the dvr ports (TCP/UDP 2000,2002,2003,2006,3001) to 192.168.0.5, all other traffic should be dropped. Can you help, thanks
Current configuration : 4067 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret xxx
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid vhwlan
authentication open
guest-mode
wpa-psk ascii 0 s1lv3r2005
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip name-server 194.74.65.68
ip name-server 194.74.65.69
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
ssid vhwlan
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1380
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxx
ppp chap password 0 xxxxxx
crypto map ipsec-remoteoffice
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.0.5.0 255.255.255.0 192.168.0.2
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.5 2000 interface Dialer0 2000
ip nat inside source static udp 192.168.0.5 2000 interface Dialer0 2000
ip nat inside source static tcp 192.168.0.5 2002 interface Dialer0 2002
ip nat inside source static udp 192.168.0.5 2002 interface Dialer0 2002
ip nat inside source static tcp 192.168.0.5 2003 interface Dialer0 2003
ip nat inside source static udp 192.168.0.5 2003 interface Dialer0 2003
ip nat inside source static tcp 192.168.0.5 2006 interface Dialer0 2006
ip nat inside source static udp 192.168.0.5 2006 interface Dialer0 2006
ip nat inside source static tcp 192.168.0.5 3001 interface Dialer0 3001
ip nat inside source static udp 192.168.0.5 3001 interface Dialer0 3001
ip nat inside source static tcp 192.168.0.5 5900 interface Dialer0 5900
ip nat inside source list 2 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 10.0.5.0 0.0.0.255
access-list 101 permit tcp any host 192.168.0.5 eq 5900
access-list 103 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 104 permit tcp any host 192.168.0.5 eq 2000
access-list 104 permit udp any host 192.168.0.5 eq 2000
access-list 105 permit tcp any host 192.168.0.5 eq 2002
access-list 105 permit udp any host 192.168.0.5 eq 2002
access-list 106 permit udp any host 192.168.0.5 eq 2003
access-list 106 permit tcp any host 192.168.0.5 eq 2003
access-list 107 permit tcp any host 192.168.0.5 eq 2006
access-list 107 permit udp any host 192.168.0.5 eq 2006
access-list 108 permit udp any host 192.168.0.5 eq 3001
access-list 108 permit tcp any host 192.168.0.5 eq 3001
access-list 109 permit tcp any host 192.168.0.2 eq 3389
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide