Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

LAN problem

Hi,

i have got Cisco 1751 router, S0/0 has got 1 public IP & fasethernet 0/0 also got 1 public IP, all the users on the LAN are accesing internet via a LINUX gateway machine. now the problem is, i am able to ping 192.168.87.1 from my LAN as well as from the router console, but all my LAN network is 192.168.100.0/24. even after removing the fastethernet 0/0 cable, still i could able to ping 192.168.87.1 which is going towards the ISP. now to avoid this how do i put the access-list on my router? because of this, when LAN users try to ping the gateway machine(192.168.100.1)time response it is getting time=500ms, when i disable s0/0 time=<14ms.

4 REPLIES

Re: LAN problem

hello anand,

you always need to have anti-spoofing ACL's on your links connecting to ISP. this will block all unnecessary IP addresses, ports etc to and from internet.

eg:

Add anti-spoofing entries.

!--- Deny special-use address sources.

!--- Refer to RFC 3330 for additional special use addresses.

access-list 110 deny ip 127.0.0.0 0.255.255.255 any

access-list 110 deny ip 192.0.2.0 0.0.0.255 any

access-list 110 deny ip 224.0.0.0 31.255.255.255 any

access-list 110 deny ip host 255.255.255.255 any

!--- The deny statement below should not be configured

!--- on Dynamic Host Configuration Protocol (DHCP) relays.

access-list 110 deny ip host 0.0.0.0 any

!--- Filter RFC 1918 space.

access-list 110 deny ip 10.0.0.0 0.255.255.255 any

access-list 110 deny ip 172.16.0.0 0.15.255.255 any

access-list 110 deny ip 192.168.0.0 0.0.255.255 any

try this and let us know...

Raj

Re: LAN problem

additionally, you can block any traffic going out from your network, esp to private ip addresses.

access-list 150 deny any 192.168.0.0 0.0.255.255

etc

apply this on the serial in "out" direction...

hope this helps...

Re: LAN problem

i tried your both options, but internet is not working.

Re: LAN problem

hello anand,

in both of my configs, you need to add "permit ip any any" on the bottom. otherwise the implicit deny at the end of the acl will deny all your internet packets. try adding "access-list 101 permit ip any any" to the ACL's given in the previous post and then try...

hope this helps.. all the best.. rate replies if found useful..

Raj

100
Views
0
Helpful
4
Replies