Re: ACL to block/allow pings

kradjesh13 · ‎06-14-2009

Hi,

We need to apply some strict security rules for one of our client because of the nature of their business. For the ADSL sites, we can login to the router only via some fixed management stations and ssh/telnet traffic from others will be dropped. I have attached a visio diagram.

Like wise, because of the stringent rules the remote users not allowed to ping their local gateway (192.168.219.158) and most of the times they feel hard to troubleshoot any local LAN issues. So I tried to relax the rules to allow one the local users to ping their interface and ping from other source will be dropped. But, unfortunately I didn't succeed in this attempt and once I apply the following configs I can ping from anyware in the network.

In short, I wanted to allow pings from the pc's on the local network to ping its router's LAN interface and pings from any other source should be dropped.

ip access-list extended LAN-IN

permit tcp host 192.168.128.48 host 192.168.219.158 eq 22

permit icmp 192.168.219.152 0.0.0.7 host 192.168.219.158 echo

permit icmp 192.168.219.152 0.0.0.7 host 192.168.219.158 echo-reply

deny ip any host 192.168.219.158 log

permit ip any any

ip access-list extended LAN-OUT

permit tcp host 192.168.219.158 host 192.168.128.48 eq 22

permit icmp host 192.168.219.158 192.168.219.152 0.0.0.7 echo-reply

permit icmp host 192.168.219.158 192.168.219.152 0.0.0.7 echo

deny ip host 192.168.219.158 any log

permit ip any any

Can someone through me some light on this please ??

Thanks

Rajesh

kradjesh13 · ‎06-14-2009

I have uploaded the diagram here.

cisco_lad2004 · ‎06-15-2009

Rajesh,

Assuming LAN goes on the interface with .158 address.

u allow ICMP from hosts to GTW, block all remaining ICMP then permit all IP ANY ANY.

##LAN_IN ACL##

permit icmp 192.168.219.152 0.0.0.7 host 192.168.219.158 echo

permit icmp 192.168.219.152 0.0.0.7 host 192.168.219.158 echo-reply

deny icmp 192.168.219.152 0.0.0.7 host 192.168.219.158 echo (or deny icmp 192.168.219.152 0.0.0.7 any echo)

permit ip any any

U allow telnet from Mngt box to DSL router, no need to block ICMP again though u can. then permint all IP traffic.

###LAN-OUT ACL##

permit tcp host 192.168.128.458 host 192.168.129.158 eq 22

permit ip any any

if u need to block ICMP from WAN, u need AN ACL on WAN.

HTH

Sam

kradjesh13 · ‎06-15-2009

Thanks for your reply Cisco LAD.

I need to confirm couple of things and still i have some issues in achieving the results.

permit icmp 192.168.219.152 0.0.0.7 host 192.168.219.158 echo

permit icmp 192.168.219.152 0.0.0.7 host 192.168.219.158 echo-reply

deny icmp 192.168.219.152 0.0.0.7 host 192.168.219.158 echo

If i use the above lines i can able to ping the GW interface from anyware in the network.

When i apply the following lines, i can able to ping the gateway only from the LAN on the other hand all the ICMP's are getting blocked since i can't ping some servers in the core.

permit icmp 192.168.219.152 0.0.0.7 host 192.168.219.158 echo

permit icmp 192.168.219.152 0.0.0.7 host 192.168.219.158 echo-reply

deny icmp 192.168.219.152 0.0.0.7 any echo

I short, I want to ping the default GW only from the local LAN subnet and block the pings from any other source. As I mentioned, I am kind of achieving this from the 2nd set of ACL's but its blocking other pings to the core.

I partially understand the use of deny statement (3rd line) and it will be great if some one explain me bit more.

Thanks

Rajesh

viyuan700 · ‎06-15-2009

deny icmp 192.168.219.152 0.0.0.7 any echo

your this line is blocking pings from 192.168.219.152 0.0.0.7 to any other address which maybe the address of your servers.

I hope your intention is to permit from network 192.168.219.152 0.0.0.7 to 192.168.219.158 and block rest to 192.168.219.158

You can change above line

deny icmp any host 192.168.219.158 echo

If i have understood ur problem then this will block all the pings leaving 192.168.219.152 0.0.0.7