08-12-2008 10:41 AM - edited 03-03-2019 11:07 PM
Hi
I'm very new and have my first Cisco router deployed in a SOHO setting with 4 pcs and an ADSL link over ATM for internet connectivity.
I have the router running from reset to default but it is exposed. It returns a ping and I would like to stop that. It shows a closed port on 139 and a couple of others. I would like to stealth them.
Can you help configure it please. I guess I could work most things out it I could comment out some lines and see the effect. Is that an exclamation mark?
I'm running linux and can open a terminal, log on to the router and enable.
This is where I think I need help:-
---------------------------
!
ip nat inside source list 102 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
dialer-list 1 protocol ip permit
!
---------------------------------
Regards
Bob
08-12-2008 04:48 PM
You can't comment lines out per se. You can remove them (type "no" followed by the line you want to remove) and see what happens.
Regarding your config above... where is access-list 111 applied? It doesn't show in the snippet.
Have you tried configuring the router from the web interface? It has built in lock-down features that will probably meet your needs.
Regards,
Ryan
08-13-2008 01:21 AM
"where is access-list 111 applied? It doesn't show in the snippet."
Thanks for the reply. I don't know how to find out where the access-list 111 is applied. What command do I use for that?
I think it would help me if I could first stop responding to a WAN ping but reply to a LAN pin. I think the process of learning how to do that would help me understand the configuration structure better.
Thanks again for your response, it is appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide