Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
236
Views
0
Helpful
4
Replies

LAN problem

Anand Narayana
Level 6
Level 6

‎02-02-2006 07:22 AM - edited ‎03-03-2019 01:40 AM

Hi,

i have got Cisco 1751 router, S0/0 has got 1 public IP & fasethernet 0/0 also got 1 public IP, all the users on the LAN are accesing internet via a LINUX gateway machine. now the problem is, i am able to ping 192.168.87.1 from my LAN as well as from the router console, but all my LAN network is 192.168.100.0/24. even after removing the fastethernet 0/0 cable, still i could able to ping 192.168.87.1 which is going towards the ISP. now to avoid this how do i put the access-list on my router? because of this, when LAN users try to ping the gateway machine(192.168.100.1)time response it is getting time=500ms, when i disable s0/0 time=<14ms.

Labels:
0 Helpful
4 Replies 4

sachinraja
Level 9
Level 9

‎02-02-2006 08:42 AM

hello anand,

you always need to have anti-spoofing ACL's on your links connecting to ISP. this will block all unnecessary IP addresses, ports etc to and from internet.

eg:

Add anti-spoofing entries.

!--- Deny special-use address sources.

!--- Refer to RFC 3330 for additional special use addresses.

access-list 110 deny ip 127.0.0.0 0.255.255.255 any

access-list 110 deny ip 192.0.2.0 0.0.0.255 any

access-list 110 deny ip 224.0.0.0 31.255.255.255 any

access-list 110 deny ip host 255.255.255.255 any

!--- The deny statement below should not be configured

!--- on Dynamic Host Configuration Protocol (DHCP) relays.

access-list 110 deny ip host 0.0.0.0 any

!--- Filter RFC 1918 space.

access-list 110 deny ip 10.0.0.0 0.255.255.255 any

access-list 110 deny ip 172.16.0.0 0.15.255.255 any

access-list 110 deny ip 192.168.0.0 0.0.255.255 any

try this and let us know...

Raj

0 Helpful

sachinraja
Level 9
Level 9
In response to sachinraja

‎02-02-2006 08:45 AM

additionally, you can block any traffic going out from your network, esp to private ip addresses.

access-list 150 deny any 192.168.0.0 0.0.255.255

etc

apply this on the serial in "out" direction...

hope this helps...

0 Helpful

Anand Narayana
Level 6
Level 6
In response to sachinraja

‎02-03-2006 12:06 AM

i tried your both options, but internet is not working.

0 Helpful

sachinraja
Level 9
Level 9
In response to Anand Narayana

‎02-03-2006 08:36 AM

hello anand,

in both of my configs, you need to add "permit ip any any" on the bottom. otherwise the implicit deny at the end of the acl will deny all your internet packets. try adding "access-list 101 permit ip any any" to the ACL's given in the previous post and then try...

hope this helps.. all the best.. rate replies if found useful..

Raj

0 Helpful
Customers Also Viewed These Support Documents