Solved: ACL assistance

bulgogi09 · ‎08-04-2009

Hello,

Attached is my configuration.

What I want to have happen is the 192.168.1.x users that originate traffic on the 'interface BVI1' to ping out on the Internet to any IP address.

I do not want anyone on the Internet to be able to ping my DHCP address from Comcast on Fa4.

Is that possible?

I only have one static NAT translation:

ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet4 3389

Thank you.

John

chinkevi_2 · ‎08-04-2009

hello, if your fa4 is internet facing you could add an inbound acl to block any traffic you don't want to participate in a service, like dhcp and ping.

View solution in original post

chinkevi_2 · ‎08-04-2009

hello, if your fa4 is internet facing you could add an inbound acl to block any traffic you don't want to participate in a service, like dhcp and ping.

bulgogi09 · ‎08-04-2009

chinkevi,

That part is easy. But when I do that the ICMP return packets originating from the LAN side are blocked.

bulgogi09 · ‎08-05-2009

This has been resolved.

All that was needed was this:

!

interface FastEthernet4

ip address dhcp

ip access-group deny_in in

ip nat outside

!

ip nat inside source list 100 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet4 3389

!

ip access-list extended deny_in

deny icmp any host xx.xx.124.200 echo

permit ip any any

!

So all ICMP activity to my public IP address is blocked while all internal computers 192.168.1.x can ping/traceroute outbound.

chinkevi_2 · ‎08-05-2009

right, good to figure that out. I was going to suggest cbac if the router support the feature and able to handle the load.