Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL assistance

Hello,

Attached is my configuration.

What I want to have happen is the 192.168.1.x users that originate traffic on the 'interface BVI1' to ping out on the Internet to any IP address.

I do not want anyone on the Internet to be able to ping my DHCP address from Comcast on Fa4.

Is that possible?

I only have one static NAT translation:

ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet4 3389

Thank you.

John

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: ACL assistance

hello, if your fa4 is internet facing you could add an inbound acl to block any traffic you don't want to participate in a service, like dhcp and ping.

4 REPLIES
New Member

Re: ACL assistance

hello, if your fa4 is internet facing you could add an inbound acl to block any traffic you don't want to participate in a service, like dhcp and ping.

New Member

Re: ACL assistance

chinkevi,

That part is easy. But when I do that the ICMP return packets originating from the LAN side are blocked.

New Member

Re: ACL assistance

This has been resolved.

All that was needed was this:

!

interface FastEthernet4

ip address dhcp

ip access-group deny_in in

ip nat outside

!

!

ip nat inside source list 100 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet4 3389

!

ip access-list extended deny_in

deny icmp any host xx.xx.124.200 echo

permit ip any any

!

So all ICMP activity to my public IP address is blocked while all internal computers 192.168.1.x can ping/traceroute outbound.

New Member

Re: ACL assistance

right, good to figure that out. I was going to suggest cbac if the router support the feature and able to handle the load.

112
Views
0
Helpful
4
Replies