08-04-2009 10:23 PM - edited 03-04-2019 05:38 AM
Hello,
Attached is my configuration.
What I want to have happen is the 192.168.1.x users that originate traffic on the 'interface BVI1' to ping out on the Internet to any IP address.
I do not want anyone on the Internet to be able to ping my DHCP address from Comcast on Fa4.
Is that possible?
I only have one static NAT translation:
ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet4 3389
Thank you.
John
Solved! Go to Solution.
08-04-2009 10:52 PM
hello, if your fa4 is internet facing you could add an inbound acl to block any traffic you don't want to participate in a service, like dhcp and ping.
08-04-2009 10:52 PM
hello, if your fa4 is internet facing you could add an inbound acl to block any traffic you don't want to participate in a service, like dhcp and ping.
08-04-2009 11:14 PM
chinkevi,
That part is easy. But when I do that the ICMP return packets originating from the LAN side are blocked.
08-05-2009 08:07 AM
This has been resolved.
All that was needed was this:
!
interface FastEthernet4
ip address dhcp
ip access-group deny_in in
ip nat outside
!
!
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet4 3389
!
ip access-list extended deny_in
deny icmp any host xx.xx.124.200 echo
permit ip any any
!
So all ICMP activity to my public IP address is blocked while all internal computers 192.168.1.x can ping/traceroute outbound.
08-05-2009 04:21 PM
right, good to figure that out. I was going to suggest cbac if the router support the feature and able to handle the load.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: