Hi john,

I applied the above ACL on router interface i could not ping the internal interface i have VPN connectivity between two offices.

What i want is this that no one can ping my live IP.My internal users can ping external websites i can also ping the router internal interface through VPN.

*** Edit ***

Actually, I labbed this up and it works fine for me. Can you post your config and a diagram?

HTH,
John

*** Please rate all useful posts ***

Hi

I applied the following ACL as you told me but after applying this Acl still i cannot ping its internal interface via VPN.

ip access-list extended OUTSIDE

permit icmp 192.168.0.0 255.255.255.0 any

permit icmp 192.168.50.0 255.255.255.0 any

permit icmp 192.168.10.0 255.255.255.0 any

deny icmp any any echo

permit ip any any

exit

int fa0/0

ip access-group OUTSIDE in

end

Hi,

in your post you are talking about ping from internet to outisde interface of your router or firewall. In last post you mentioned that you are unable to ping inside host or interface from VPN.

So what is your goal?

Regards,

Jan

Hi,

I mean internal interface not external.Look without above acl i can ping its internal interface via vpn after applying acl i cann't.

my goal is very very simple no one can ping my internet interface mean live IP.my users can ping external websites and i my vpn users can ping its internal interface

Hi,

could you please post whole config of router? Depends on how is your VPN configured.

I tried reproduce your issue and ACL works for inside hosts to internet(traffic permited) and from internet to public Ip and it also works.

Could not simulate your VPN because don't have your config. What IP pool you assign to VPN users?

Jan

Hi john Blakely,

Below is my configurations plz have llok in this and suggest me how implement Acl to stop the ping from outside only.

Current configuration : 3135 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Store_RTR

!

logging queue-limit 100

enable password *******************

!

ip subnet-zero

!

!

no ip domain lookup

ip name-server 10.16.6.10

ip name-server 10.16.7.12

ip name-server 8.8.8.8

ip dhcp excluded-address 192.168.3.1 192.168.3.10

ip dhcp excluded-address 192.168.3.200 192.168.3.254

!

ip dhcp pool store

   network 192.168.3.0 255.255.255.0

   default-router 192.168.3.254

   dns-server 192.168.0.1 192.168.0.4

   lease 30

!

ip audit notify log

ip audit po max-events 100

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key ***************** address 124.109.46.242

!

!

crypto ipsec transform-set tset esp-des esp-md5-hmac

!

crypto map smap 10 ipsec-isakmp

set peer 124.109.46.242

set transform-set tset

match address 101

!

!

!

!

!

!

!

!

!

!

no voice hpi capture buffer

no voice hpi capture destination

!

!

mta receive maximum-recipients 0

!

!

!

!

interface ATM0/0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface FastEthernet0/0

ip address 58.27.221.42 255.255.255.252

ip nat outside

duplex auto

speed auto

crypto map smap

!

interface BRI0/0

no ip address

shutdown

!

interface FastEthernet0/1

description inside interface

ip address 192.168.3.254 255.255.255.0

ip access-group INSIDE-IN in

ip nat inside

duplex auto

speed auto

!

ip nat inside source list 111 interface FastEthernet0/0 overload

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 58.27.221.41

!

!

!

ip access-list extended INSIDE-IN

permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.50.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.90.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255

permit tcp any any eq 67

permit udp any any eq bootps

permit tcp any any eq 68

permit udp any any eq bootpc

permit tcp any any eq 546

permit udp any any eq 546

permit tcp any any eq 547

permit udp any any eq 547

deny   ip any any

!

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 111 deny   ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 111 deny   ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 111 deny   ip 192.168.3.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 111 deny   ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 111 permit ip 192.168.3.0 0.0.0.255 any

!

route-map nat permit 10

match ip address 111

!

call rsvp-sync

!

mgcp fax t38 ecm

!

mgcp profile default

!

!

!

dial-peer cor custom

!

!

!

!

!

Store_RTR#

John's first ACl is correct.

that will stop pings to the outside interface of your router. but allow pings thru the vpn tunnel.

are you falling into the trap of just pinging from the remote router, which by default will use the outside interface that is not in the vpn. when pinging  from the remote vpn router do ping 192.168.3.254 source vlan1 ( or an ip address that is used in the vpn tunnel)

HTH

Richard

Richard's correct. If you just pinging from the router without sourcing the information, the router will use the public side interface. The public interface won't know how to get to your far side lan interface over the tunnel, so if you source it from your internal interface, it should work fine. Otherwise, ping it from a workstation. I don't see anything wrong in the config other than not seeing the acl that I gave you above. There's nothing applied to the wan side interface according to this config.

HTH,
John

*** Please rate all useful posts ***

Hi john

As i told you before the when i applied the below acl on outside interface i cannot ping its internal interface which is 192.168.3.254 over the vpn.

so i cannot ping my internal interface over vpn thats why i removed that ACL.

ip access-list extended OUTSIDE

permit icmp 192.168.0.0 255.255.255.0 any

permit icmp 192.168.50.0 255.255.255.0 any

permit icmp 192.168.10.0 255.255.255.0 any

deny icmp any any echo

permit ip any any

exit

int fa0/0

ip access-group OUTSIDE in

end

Okay,

Try removing the permit icmp statements. They're not needed. Also, when you're pinging the inside interface, are you doing it from the other side of the tunnel on a different router or a host? Can you ping across to another host on the other side of the router's lan interface?

HTH,
John

*** Please rate all useful posts ***

John,

I am pinging its internal interface from my head office.its my branch router configuration.There is VPN connctivity between branch and head office.Hopefully now you got it.