Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2171
Views
0
Helpful
3
Replies

ICMP on external interface

sbrown6079
Level 1
Level 1

‎03-11-2012 05:12 AM - edited ‎03-04-2019 03:37 PM

Not sure how to accomplish this, and I've been beating on it for a few days. My knowledge of IOS is increasing, but still limited in scope so I'm hopeful someone can help me out

I've got a Cisco 1811 router with FastEthernet0 plugged into a cable modem with 5 static IP's. I want to disable the ability for those IP's to be pinged externally except for certain addresses that I specify (I have some offsite servers that I use to monitor the ISP link for example). I also want the ability to be able to ping external addresses from the router as well as any of my inside subnets.

Here are the subnets I use:

10.0.0.0/24

10.0.10.0/24

10.0.20.0/24

10.0.30.0/24

I've tried varying ACL's and applied to Fa0, none of which work

Here is what is built currently:

sunvalleyedgrtr01#sh access-lists 102

Extended IP access list 102

    10 permit icmp 10.0.0.0 0.0.0.255 any echo

    20 permit icmp 10.0.0.0 0.0.0.255 any echo-reply

    30 permit icmp 10.0.10.0 0.0.0.255 any echo

    40 permit icmp 10.0.10.0 0.0.0.255 any echo-reply

    50 permit icmp 10.0.20.0 0.0.0.255 any echo

    60 permit icmp 10.0.20.0 0.0.0.255 any echo-reply

    70 permit icmp 10.0.30.0 0.0.0.255 any echo

    80 permit icmp 10.0.30.0 0.0.0.255 any echo-reply

    90 deny icmp any any echo (3147 matches)

    100 deny icmp any any echo-reply (5 matches)

    110 permit ip any any (428006 matches)

And the relevant config for Fa0:

Outgoing access list is 102

Inbound  access list is 102

I think I'm on the right path with how to accomplish what I want to do, but it's not working as anticipated and I'm struggling just a bit trying to get there. The example above is disabling the ability to ping anything, externally or from my subnets.

Labels:
0 Helpful
3 Replies 3

John Blakley
VIP Alumni
VIP Alumni

‎03-11-2012 06:54 AM

If you're cable modem is connected to fa0/0, then that's going to be your outside interface. Where are the 10.x.x.x subnets at in your router? Are they on fa0/0 or fa0/1? Does your router do the natting or cable modem/router? Do you have any other equipment in between you like a firewall, etc? The acl looks fine, I figure it's placed on the incorrect interface. Can you post the interface configs?

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

sbrown6079
Level 1
Level 1
In response to John Blakley

‎03-11-2012 07:18 AM

Yes, cable modem is connected to FastEthernet0. The 10.x.x.x subnets are built as subinterfaces/vlans under FastEthernet1, Fa1.1, Fa1.10, Fa1.20, Fa1.30. Router does the NAT'ing.

Here's the interface config for Fa0:

sunvalleyedgrtr01#sh ip int fa0

FastEthernet0 is up, line protocol is up

  Internet address is (omitted)

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Secondary address (omitted)

  Secondary address (omitted)

  Secondary address (omitted)

  Secondary address (omitted)

  Outgoing access list is 102

  Inbound  access list is 102

  Proxy ARP is disabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are never sent

  ICMP unreachables are never sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is enabled, interface in domain outside

  BGP Policy Mapping is disabled

  Input features: Stateful Inspection, Virtual Fragment Reassembly, Access List, Virtual Fragment Reassembly After IPSec Decryption, uRPF, NAT Outside, MCI Check

  Output features: Post-routing NAT Outside, Stateful Inspection, Access List, NAT ALG proxy

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

  IP verify source reachable-via RX, allow default, ACL 100

   0 verification drops

   0 suppressed verification drops

   0 verification drop-rate

All of the internal interfaces are built the same, I'll post Fa1.10 as an example:

FastEthernet1.10 is up, line protocol is up

  Internet address is 10.0.10.1/24

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is disabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are never sent

  ICMP unreachables are never sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is enabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is enabled, interface in domain inside

  BGP Policy Mapping is disabled

  Input features: Stateful Inspection, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, MCI Check

  Output features: NAT Inside, Stateful Inspection, NAT ALG proxy

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

Thanks,
Stephen

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to sbrown6079

‎03-11-2012 07:44 AM

Ah...okay. Split your list up for the subinterfaces and you should be okay.

Extended IP access list 102

    50 permit icmp 10.0.20.0 0.0.0.255 any echo

    60 permit icmp 10.0.20.0 0.0.0.255 any echo-reply

    90 deny icmp any any echo (3147 matches)

    100 deny icmp any any echo-reply (5 matches)

    110 permit ip any any (428006 matches)

Extended IP access list 103

    50 permit icmp 10.0.30.0 0.0.0.255 any echo

    60 permit icmp 10.0.30.0 0.0.0.255 any echo-reply

    90 deny icmp any any echo (3147 matches)

    100 deny icmp any any echo-reply (5 matches)

    110 permit ip any any (428006 matches)

Etc....

int fa1.20

ip access-group 102 in

int fa1.30

ip access-group 103 in

You don't need them in the outbound direction...

HTH,

John

Please rate if helpful...

HTH, John *** Please rate all useful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card