Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
447
Views
0
Helpful
4
Replies

ACL assistance

Go to solution
bulgogi09
Level 1
Level 1

‎08-04-2009 10:23 PM - edited ‎03-04-2019 05:38 AM

Hello,

Attached is my configuration.

What I want to have happen is the 192.168.1.x users that originate traffic on the 'interface BVI1' to ping out on the Internet to any IP address.

I do not want anyone on the Internet to be able to ping my DHCP address from Comcast on Fa4.

Is that possible?

I only have one static NAT translation:

ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet4 3389

Thank you.

John

Labels:
Preview file
4 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
chinkevi_2
Level 1
Level 1

‎08-04-2009 10:52 PM

hello, if your fa4 is internet facing you could add an inbound acl to block any traffic you don't want to participate in a service, like dhcp and ping.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
chinkevi_2
Level 1
Level 1

‎08-04-2009 10:52 PM

hello, if your fa4 is internet facing you could add an inbound acl to block any traffic you don't want to participate in a service, like dhcp and ping.

0 Helpful

Go to solution
bulgogi09
Level 1
Level 1
In response to chinkevi_2

‎08-04-2009 11:14 PM

chinkevi,

That part is easy. But when I do that the ICMP return packets originating from the LAN side are blocked.

0 Helpful

Go to solution
bulgogi09
Level 1
Level 1

‎08-05-2009 08:07 AM

This has been resolved.

All that was needed was this:

!

interface FastEthernet4

ip address dhcp

ip access-group deny_in in

ip nat outside

!

!

ip nat inside source list 100 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet4 3389

!

ip access-list extended deny_in

deny icmp any host xx.xx.124.200 echo

permit ip any any

!

So all ICMP activity to my public IP address is blocked while all internal computers 192.168.1.x can ping/traceroute outbound.

0 Helpful

Go to solution
chinkevi_2
Level 1
Level 1
In response to bulgogi09

‎08-05-2009 04:21 PM

right, good to figure that out. I was going to suggest cbac if the router support the feature and able to handle the load.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card