Question

Locked

Cisco Router Access List configuration problem - Help please

By jameshumphrey ·
Hello everyone,

I wonder if anyone can help, I am having real trouble disabling imcp ping echo requests and other icmp services using access lists. I will post my config but I have tried what I know and have found on other boards with no success.

I have a cisco 857 router show ver

Cisco IOS Software, SB107 Software (SB107-K9OY1-M), Version 12.4(10a), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Thu 12-Oct-06 03:48 by prod_rel_team

ROM: System Bootstrap, Version 12.2(11r)YV6, RELEASE SOFTWARE (fc1)

lutrtr uptime is 3 hours, 28 minutes
System returned to ROM by reload
System image file is "flash:sb107-k9oy1-mz.124-10a.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco SB107 (MPC857DSL) processor (revision 0x500) with 58983K/6553K bytes of memory.
Processor board ID FHK104810H4, with hardware revision 513A
CPU rev number 7
1 Ethernet interface
1 ATM interface
128K bytes of NVRAM.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102


Have obscured certains details on this config for obvious reasons.

can anyone tell me where I am going wrong? Any help would be greatly appreciated!


rtr#show run
Building configuration...

Current configuration : 4430 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname lutrtr
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$iWAB$SENK.a01Xe67zkEoA.3hK1
!
no aaa new-model
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.11.0.1 10.11.1.0
ip dhcp excluded-address 10.11.1.101 10.11.255.254
!
ip dhcp pool sdm-pool1
import all
network 10.11.0.0 255.255.0.0
default-router 10.11.0.1
dns-server 212.23.3.100 212.23.6.100
!
!
ip tcp synwait-time 10
ip cef
ip domain name xxxxxxxxxxxxxxxx
ip name-server 212.23.3.100
ip name-server 212.23.6.100
no ip bootp server
ip ssh version 2
!
crypto pki trustpoint TP-self-signed-1974712959
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1974712959
revocation-check none
rsakeypair TP-self-signed-1974712959
!
!
crypto pki certificate chain TP-self-signed-1974712959
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393734 37313239 3539301E 170D3032 30333031 30303030
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39373437
31323935 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BCD4 ED538CAC 0DB74871 00BFC6 E222F243 3927B3BE 530168B3 A340F3D3
457BC749 68315655 CC0C0B5C 6A0CEF8F D5F1F493 EB8559C6 AA7638E7 B73F3D3D
4DED0615 55B7BB02 D37150 9FD1D22A A4E0E1C9 87FF904D 678479E5 50E5A9FB
0649C68A E86E74DC 68671A39 AF05D754 A097E9C1 DE746F98 19D6E2BA 2D6C1349
24CF0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 176C7574 7274722E 73627377 6F726C64 77696465 2E636F6D
301F0603 551D2304 18301680 14084435 463E0404 D4F85374 3E8E5DF5 4FF1634D
33301D06 03551D0E 04160414 08443546 3E0404D4 F853743E 8E5DF54F F1634D33
300D0609 2A864886 F70D0101 04050003 8181002B 752CBB2F 3E672E80 4F0F81D0
47F46C80 A62D4536 8A72562E 09CD9942 CB8FF4B4 ED2A3CA9 E8ECBF61 BCC99423
6F6E13DE 8399A8CB C1E8B3C1 7A17DB1A A2E8C2EF 6F9DFE03 39076E0D E4FAFD6C
B2B23A9A 3658AE1A 65254392 6BC771CF 3DC9E66C B5872EDC 097BBADA 4F6F7775
DAD270CF 6037ADD4 C0C86442 07790DA0 93431E
quit
username admin privilege 15 secret 5 $1$t/qv$Jx1k2SnnzOJL1eTsHpbF3/
!
!
!
!
!
interface Ethernet0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$
ip address xx.xx.xx.xx 255.255.255.248
ip access-group STOP-ICMP in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$$ES_WAN$
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip unnumbered Ethernet0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname user@isp.com
ppp chap password 7 1435195302297E3822
ppp pap sent-username xxxx@isp.com password 7 123B0E4F1C2658172C
!
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip nat inside source list 100 interface Dialer0 overload
!
!
ip access-list extended STOP_ICMP
deny icmp any any
permit ip any any
logging trap debugging
access-list 101 deny icmp any any
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
route-map word permit 10
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
scheduler interval 500
end

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

humm possibly the ip permit any any as ICMP is IP

by CG IT In reply to Cisco Router Access List ...

but heck putting in the deny icmp any any might do it... I dunno...

unless allowed ACLs have deny.... so something is allowing the icmp packets through.

Collapse -

Default ACL behavour is to deny all

by jameshumphrey In reply to humm possibly the ip perm ...

I thought the default ACL behaviour is to deny all, as this router is hundreds of miles away from me I added the permit ip any any to ensure I didn't lose contact with the unit.

is this wrong?

Collapse -

More changes , am I missing a trick?

by jameshumphrey In reply to Default ACL behavour is t ...

I had some rubbish left in the config from all my messing about. Here is the config now, still replying to ping.. Am I missing a trick here?

rtr#show run
Building configuration...

Current configuration : 4415 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname rtr
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$iWAB$SENK.a01Xe67zkEoA.3hK1
!
no aaa new-model
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.11.0.1 10.11.1.0
ip dhcp excluded-address 10.11.1.101 10.11.255.254
!
ip dhcp pool sdm-pool1
import all
network 10.11.0.0 255.255.0.0
default-router 10.11.0.1
dns-server 212.23.3.100 212.23.6.100
!
!
ip tcp synwait-time 10
ip cef
ip domain name xxxx.com
ip name-server 212.23.3.100
ip name-server 212.23.6.100
no ip bootp server
ip ssh version 2
!
crypto pki trustpoint TP-self-signed-1974712959
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1974712959
revocation-check none
rsakeypair TP-self-signed-1974712959
!
!
crypto pki certificate chain TP-self-signed-1974712959
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393734 37313239 3539301E 170D3032 30333031 30303030
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39373437
31323935 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BCD4 ED538CAC 0DB74871 00BFC6 E222F243 3927B3BE 530168B3 A340F3D3
457BC749 68315655 CC0C0B5C 6A0CEF8F D5F1F493 EB8559C6 AA7638E7 B73F3D3D
4DED0615 55B7BB02 D37150 9FD1D22A A4E0E1C9 87FF904D 678479E5 50E5A9FB
0649C68A E86E74DC 68671A39 AF05D754 A097E9C1 DE746F98 19D6E2BA 2D6C1349
24CF0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 176C7574 7274722E 73627377 6F726C64 77696465 2E636F6D
301F0603 551D2304 18301680 14084435 463E0404 D4F85374 3E8E5DF5 4FF1634D
33301D06 03551D0E 04160414 08443546 3E0404D4 F853743E 8E5DF54F F1634D33
300D06H9 2A864886 F70D0101 04050003 8181002B 752CBB2F 3E672E80 4F0F81D0
47F46C80 A62D4536 8A72562E 09CD9942 CB8FF4B4 ED2A3CA9 E8ECBF61 BCC99423
6F6E13DE 8399A8CB C1E8B3C1 7A17DB1A A2E8C2EF 6F9DFE03 39076E0D E4FAFD6C
B2B23A9A 3658AE1A 65254392 6BC771CF 3DC9E66C B5872EDC 097BBADA 4F6F7775
DAD270AF 6037ADD4 C0C86442 07790DA0 93431E
quit
username admin privilege 15 secret 5 $1$t/qv$JA1k2SnnzOPb1eTsHpbF3/
!
!
!
!
!
interface Ethernet0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$
ip address xx.xx.xx.xx 255.255.255.248
ip access-group STOP_ICMP in
ip access-group STOP_ICMP out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$$ES_WAN$
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip unnumbered Ethernet0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxx159471@xxx
ppp chap password 7 1435195302297E3822
ppp pap sent-username xxx159471@xxx password 7 12xxx3B0E4F1C2658172C
!
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip nat inside source list 100 interface Dialer0 overload
!
!
ip access-list extended STOP_ICMP
deny icmp any any echo
deny icmp any any echo-reply
logging trap debugging
dialer-list 1 protocol ip permit
no cdp run
route-map word permit 10
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
scheduler interval 500
end

Collapse -

no not wrong at the end of an access list is implicit deny

by CG IT In reply to Default ACL behavour is t ...

routers simply compare traffic it gets to an access list. [those if this then that statement].

if your trying to stop icmp ping on an eternal interface then you need to apply the access list to that interface. [inside/outside]

netman1958 is pretty good with Cisco stuff...

Collapse -

Wrong interface!!

by jameshumphrey In reply to no not wrong at the end ...

I was aplying this access list to the wrong interface, turns out I had to use Dialer0, this is using an adsl connection. Thanks for your helpful replies!

Collapse -

where ever you go, there you are..... so did that fix it?

by CG IT In reply to Wrong interface!!
Back to Networks Forum
6 total posts (Page 1 of 1)  

Related Forums