07-23-2001 12:08 AM - edited 02-20-2020 09:15 PM
How do I stop icmp incoming yet allow internet communication, i have my web server in my side so I don't want that to be effected if I stop icmp , and icmp has lots of subs like time zone ect , can any one suggest me a good ACL link , or some ACL configs , thanks a lot in advance . You can sms me at 9840036122@skycell-indya.com
07-24-2001 12:10 AM
Here's my generic ingress ACL template. Note that I permit into the protected network
only the bare ICMP functionality (IMO of course :-) ) Turning off ICMP alltogether may be
overly restrictive - ICMP after all provides useful things, but this will depend on your site
security policy. Make sure you understand the tradeoffs.
Note that "!" indicates my commentary...
! Access list 101 is applied on the "external" interface - the
assumption in this case is that
! we're touching the Internet (hence the RFC 1918 filters). We
filter anything that wasn't
! originated from the inside, or is an ICMP message. You
should substitute explicit
! subnets for "any" whenever possible.
!
! Anti-spoofing: Filter out loopback & RFC-1918 space (you may
need to allow
! RFC-1918 if the router's environment routes this traffic,
though). Last two lines deny
! traffic sourced from any broadcast address coming inbound,
as well as any traffic with
! a source address of our internal network, which we would
never expect to see anyhow.
!
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip (internal net) 0.0.0.255 any log
!
! Allow ping responses, traceroute functionality, path MTU
discovery. Bare minimum
! ICMP for reasonable functionality - we could tighten this
down, but might break useful
! things.
!
access-list 101 permit icmp any (internal net) 0.0.0.255
echo-reply
access-list 101 permit icmp any (internal net) 0.0.0.255
time-exceeded
access-list 101 permit icmp anyv (internal net) 0.0.0.255
packet-too-big
access-list 101 permit icmp any (internal net) 0.0.0.255
traceroute
access-list 101 permit icmp any (internal net) 0.0.0.255
unreachable
!
! Permissions for established (ACK) TCP traffic to allow
return traffic. This permission
! is handled in a "smarter" fashion in IOS Firewall. You might
have to add lines to allow
! relevant stateless UDP to come back as well.
!
access-list 101 permit tcp any (internal net) 0.0.0.255
established
!
! Explicit permissions go here... in this case, we're allowing
the Internet to come in on
! port 80 (WWW) to some internal host.
!
access-list 101 permit tcp any host (internal net) eq 80
!
! Add an explicit deny for administration's sake.
!
access-list 101 deny ip any log
Hope this helps,
-Rakesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide