08-04-2009 10:23 PM - edited 03-04-2019 05:38 AM
Hello,
Attached is my configuration.
What I want to have happen is the 192.168.1.x users that originate traffic on the 'interface BVI1' to ping out on the Internet to any IP address.
I do not want anyone on the Internet to be able to ping my DHCP address from Comcast on Fa4.
Is that possible?
I only have one static NAT translation:
ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet4 3389
Thank you.
John
Solved! Go to Solution.
08-04-2009 10:52 PM
hello, if your fa4 is internet facing you could add an inbound acl to block any traffic you don't want to participate in a service, like dhcp and ping.
08-04-2009 10:52 PM
hello, if your fa4 is internet facing you could add an inbound acl to block any traffic you don't want to participate in a service, like dhcp and ping.
08-04-2009 11:14 PM
chinkevi,
That part is easy. But when I do that the ICMP return packets originating from the LAN side are blocked.
08-05-2009 08:07 AM
This has been resolved.
All that was needed was this:
!
interface FastEthernet4
ip address dhcp
ip access-group deny_in in
ip nat outside
!
!
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet4 3389
!
ip access-list extended deny_in
deny icmp any host xx.xx.124.200 echo
permit ip any any
!
So all ICMP activity to my public IP address is blocked while all internal computers 192.168.1.x can ping/traceroute outbound.
08-05-2009 04:21 PM
right, good to figure that out. I was going to suggest cbac if the router support the feature and able to handle the load.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide