Solved: Access-list

satheesh118 · ‎02-09-2009

can one help how to block icmp at router level.

Giuseppe Larosa · ‎02-10-2009

Hello Sateesh,

you want to block other specific traffic:

deny udp|tcp source source-wildcard dest destination-wildcard eq|ge|le name|number

you need to know where the well known port stays because the port option allows to match source port if it is just after the source or the destination if it is at the end of the line

so you want to block telnet access from subnete to outside you use:

access-list 101 deny tcp 10.5.5.0 0.0.0.255 any eq 23

if you want to block outside from being able to telnet to hosts in the subnets you need

access-list 101 deny tcp 10.5.5.0 0.0.0.255 eq 23 any

This is the basics to perform per port filtering, most simple examples show only matching on destination port.

the new deny statements must be before the final permit ip any any or they will be not effective

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎02-09-2009

Hello Satheesh,

an ACL that denies ICMP needs a line like

access-list 101 deny icmp any any

but you may be interested on limiting ICMP traffic directed to the router.

Some platforms and IOSes support a feature called Control Plane Policing CoPP that can be of help in protecting the main cpu from excessive icmp traffic.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/cntl_pln.html

Another approach often used on border router is to police or CAR incoming ICMP traffic and this is can fit your needs.

in this case the ACL has to match ICMP traffic

access-list 102 permit icmp any any

int g0/1

rate-limit input access-group 102 10000000 50000 5000 conform-action transmit exceed-action drop

see

http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/config_car_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1001183

I would go for a CAR implementation

Hope to help

Giuseppe

satheesh118 · ‎02-09-2009

hi thanks for ur response,

i wrote same rule and included at Gi0/0 interface. after that i could not able to reach the other network itself, its completely blocks.

i need only ICMP shoulb be block and i have able to reach other networks.

Giuseppe Larosa · ‎02-10-2009

Hello Sateesh,

ACLs have an implicit deny ip any any at the end so you need to write it in this way:

access-list 101 deny icmp any any

access-list 101 permit ip any any

Hope to help

Giuseppe

satheesh118 · ‎02-10-2009

thanks giuseppe,its helps me to reslove...

can u tell me how to block the particular ports

Giuseppe Larosa · ‎02-10-2009

Hello Sateesh,

you want to block other specific traffic:

deny udp|tcp source source-wildcard dest destination-wildcard eq|ge|le name|number

you need to know where the well known port stays because the port option allows to match source port if it is just after the source or the destination if it is at the end of the line

so you want to block telnet access from subnete to outside you use:

access-list 101 deny tcp 10.5.5.0 0.0.0.255 any eq 23

if you want to block outside from being able to telnet to hosts in the subnets you need

access-list 101 deny tcp 10.5.5.0 0.0.0.255 eq 23 any

This is the basics to perform per port filtering, most simple examples show only matching on destination port.

the new deny statements must be before the final permit ip any any or they will be not effective

Hope to help

Giuseppe

satheesh118 · ‎02-19-2009

can u please help me to create ipsec tunnel