02-02-2006 07:22 AM - edited 03-03-2019 01:40 AM
Hi,
i have got Cisco 1751 router, S0/0 has got 1 public IP & fasethernet 0/0 also got 1 public IP, all the users on the LAN are accesing internet via a LINUX gateway machine. now the problem is, i am able to ping 192.168.87.1 from my LAN as well as from the router console, but all my LAN network is 192.168.100.0/24. even after removing the fastethernet 0/0 cable, still i could able to ping 192.168.87.1 which is going towards the ISP. now to avoid this how do i put the access-list on my router? because of this, when LAN users try to ping the gateway machine(192.168.100.1)time response it is getting time=500ms, when i disable s0/0 time=<14ms.
02-02-2006 08:42 AM
hello anand,
you always need to have anti-spoofing ACL's on your links connecting to ISP. this will block all unnecessary IP addresses, ports etc to and from internet.
eg:
Add anti-spoofing entries.
!--- Deny special-use address sources.
!--- Refer to RFC 3330 for additional special use addresses.
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 deny ip 224.0.0.0 31.255.255.255 any
access-list 110 deny ip host 255.255.255.255 any
!--- The deny statement below should not be configured
!--- on Dynamic Host Configuration Protocol (DHCP) relays.
access-list 110 deny ip host 0.0.0.0 any
!--- Filter RFC 1918 space.
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
try this and let us know...
Raj
02-02-2006 08:45 AM
additionally, you can block any traffic going out from your network, esp to private ip addresses.
access-list 150 deny any 192.168.0.0 0.0.255.255
etc
apply this on the serial in "out" direction...
hope this helps...
02-03-2006 12:06 AM
i tried your both options, but internet is not working.
02-03-2006 08:36 AM
hello anand,
in both of my configs, you need to add "permit ip any any" on the bottom. otherwise the implicit deny at the end of the acl will deny all your internet packets. try adding "access-list 101 permit ip any any" to the ACL's given in the previous post and then try...
hope this helps.. all the best.. rate replies if found useful..
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide