ACL assistance

Answered Question
Aug 4th, 2009
User Badges:

Hello,


Attached is my configuration.


What I want to have happen is the 192.168.1.x users that originate traffic on the 'interface BVI1' to ping out on the Internet to any IP address.


I do not want anyone on the Internet to be able to ping my DHCP address from Comcast on Fa4.


Is that possible?


I only have one static NAT translation:


ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet4 3389


Thank you.

John



Attachment: 
Correct Answer by chinkevi_2 about 7 years 9 months ago

hello, if your fa4 is internet facing you could add an inbound acl to block any traffic you don't want to participate in a service, like dhcp and ping.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
Correct Answer
chinkevi_2 Tue, 08/04/2009 - 22:52
User Badges:

hello, if your fa4 is internet facing you could add an inbound acl to block any traffic you don't want to participate in a service, like dhcp and ping.

bulgogi09 Tue, 08/04/2009 - 23:14
User Badges:

chinkevi,


That part is easy. But when I do that the ICMP return packets originating from the LAN side are blocked.

bulgogi09 Wed, 08/05/2009 - 08:07
User Badges:

This has been resolved.


All that was needed was this:


!

interface FastEthernet4

ip address dhcp

ip access-group deny_in in

ip nat outside

!

!

ip nat inside source list 100 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet4 3389

!

ip access-list extended deny_in

deny icmp any host xx.xx.124.200 echo

permit ip any any

!



So all ICMP activity to my public IP address is blocked while all internal computers 192.168.1.x can ping/traceroute outbound.

chinkevi_2 Wed, 08/05/2009 - 16:21
User Badges:

right, good to figure that out. I was going to suggest cbac if the router support the feature and able to handle the load.

Actions

This Discussion