cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1780
Views
0
Helpful
4
Replies

Blocking Ping/echo requests on public interface.

I'm struggling to block echo/ping requests on my public facing port, after some advice, have tried applying an ACL to the .101, and the physical interface, but appears to break everything, below is my working config, my connection is presented over VDSL interface - essentially that's the one I want to block incoming ping's on, but the internal side work as normal.

 

!
! Last configuration change at 20:30:49 UTC Thu Jun 11 2020
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.157-3.M6.bin
boot-end-marker
!
!
enable secret 5 xxxxxx
!
no aaa new-model
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.20
!
ip dhcp pool DHCP Address Pool
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 90.207.238.97 90.207.238.99 8.8.8.8 8.8.4.4
domain-name xxxxxx
lease 7
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn FCZ200261EA
!
!
!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0/0/0
mac-address xxxxxx
no ip address
!
interface Ethernet0/0/0.101
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex xxxxxx
ip dhcp client hostname xxxxxx
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1/0
switchport mode trunk
no ip address
!
interface GigabitEthernet0/1/1

Switchport mode access
no ip address
!
interface GigabitEthernet0/1/2

Switchport mode access
no ip address
!
interface GigabitEthernet0/1/3

Switchport mode access
no ip address
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Ethernet0/0/0.101 overload
ip route 0.0.0.0 0.0.0.0 Ethernet0/0/0.101 dhcp
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

2 Accepted Solutions

Accepted Solutions

Thats because I clearly don't know how to copy/paste from the right file...

 

I have access-list 103 deny icmp any any echo but if I apply it to the .101, I seem to lose connectivity (at least as far as internet access from a client).

 

Trunk is pending me setting up my Aruba controller when I have some time.... but at the mo, no other VLANs actually running.... 

 

(the actual config that I am stuck with....)

 

!
! Last configuration change at 20:45:18 UTC Thu Jun 11 2020
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.157-3.M6.bin
boot-end-marker
!
!
enable secret 5 xxxxxx
!
no aaa new-model
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.20
!
ip dhcp pool DHCP Address Pool
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 90.207.238.97 90.207.238.99 8.8.8.8 8.8.4.4
domain-name xxxxxx
lease 7
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn FCZ200261EA
!
!
!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0/0/0
mac-address xxxxxx
no ip address
!
interface Ethernet0/0/0.101
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex 32344137444331353137383240736B7964736C
ip dhcp client hostname 24A7DC151782@skydsl|db06b35612
ip address dhcp
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1/0
switchport mode trunk
no ip address
!
interface GigabitEthernet0/1/1

Switchport mode access
no ip address
!
interface GigabitEthernet0/1/2

Switchport mode access
no ip address
!
interface GigabitEthernet0/1/3

Switchport mode access
no ip address
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0

ip access-group 100 in
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Ethernet0/0/0.101 overload
ip route 0.0.0.0 0.0.0.0 Ethernet0/0/0.101 dhcp
!
!
!

access-list 1 permit 192.168.0.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 deny tcp any any eq telnet
access-list 100 deny tcp any any eq www
access-list 101 deny icmp any any echo
access-list 101 deny icmp any any echo-reply
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

View solution in original post

Hello,

 

you need to add the line in bold to your access list. Access list have an implicit 'deny all' at the end, so everything you do not explicitly permit, is denied:

 

access-list 101 deny icmp any any echo
access-list 101 deny icmp any any echo-reply

--> access-list 101 permit ip any any

View solution in original post

4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

I note a couple of things in looking at your config:

- you have configured address translation (I see nat inside, nat outside, and a dynamic nat translation using access list 1). But I do not see access list 1. Did something happen to it?

- I do not see anything that is attempting to block ping. What I would expect to see is some access list configured that will deny the types of traffic that you want to deny and then permits everything else. And I would expect to see that access list applied using ip access-group inbound on the .101 subinterface.

- there is one interface configured as a trunk. But there is only a single vlan mentioned in the config. I do not understand what the trunk is about. (I note this but also say that this is not related to your question about ping)

HTH

Rick

Thats because I clearly don't know how to copy/paste from the right file...

 

I have access-list 103 deny icmp any any echo but if I apply it to the .101, I seem to lose connectivity (at least as far as internet access from a client).

 

Trunk is pending me setting up my Aruba controller when I have some time.... but at the mo, no other VLANs actually running.... 

 

(the actual config that I am stuck with....)

 

!
! Last configuration change at 20:45:18 UTC Thu Jun 11 2020
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.157-3.M6.bin
boot-end-marker
!
!
enable secret 5 xxxxxx
!
no aaa new-model
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.20
!
ip dhcp pool DHCP Address Pool
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 90.207.238.97 90.207.238.99 8.8.8.8 8.8.4.4
domain-name xxxxxx
lease 7
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn FCZ200261EA
!
!
!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0/0/0
mac-address xxxxxx
no ip address
!
interface Ethernet0/0/0.101
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex 32344137444331353137383240736B7964736C
ip dhcp client hostname 24A7DC151782@skydsl|db06b35612
ip address dhcp
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1/0
switchport mode trunk
no ip address
!
interface GigabitEthernet0/1/1

Switchport mode access
no ip address
!
interface GigabitEthernet0/1/2

Switchport mode access
no ip address
!
interface GigabitEthernet0/1/3

Switchport mode access
no ip address
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0

ip access-group 100 in
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Ethernet0/0/0.101 overload
ip route 0.0.0.0 0.0.0.0 Ethernet0/0/0.101 dhcp
!
!
!

access-list 1 permit 192.168.0.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 deny tcp any any eq telnet
access-list 100 deny tcp any any eq www
access-list 101 deny icmp any any echo
access-list 101 deny icmp any any echo-reply
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

Hello,

 

you need to add the line in bold to your access list. Access list have an implicit 'deny all' at the end, so everything you do not explicitly permit, is denied:

 

access-list 101 deny icmp any any echo
access-list 101 deny icmp any any echo-reply

--> access-list 101 permit ip any any

Sometimes fresh eyes is what it takes... 🤦
Review Cisco Networking for a $25 gift card