Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
10
Helpful
3
Replies

Older non Cyrpto version. How to poke a hole in my ACL so my ISP can monitor my router?

badassmexican
Level 1
Level 1

‎12-21-2018 01:44 PM - edited ‎03-05-2019 11:08 AM

Hi,

 

I'm trying to figure out how to block ports and secure my older router that doesn't have SSL, crypto, ip inspect and I'm sure I'm missing a few other things.

 

I added these to my my config file but I think it might have worked too well because my ISP sent me an email asking that I open it up for their monitoring IPs.

Am I doing this right or is there a better way to do this?  Also, how can I allow ICMP requests from my ISP?

 

Thanks,

Joel

 

interface FastEthernet0/1
description Uplink
ip address 38.88.245.170 255.255.255.248
ip nat outside
ip access-group cbac in

ip access-list extended cbac
 permit icmp any any echo-reply
 permit tcp any any eq bgp
 permit udp any any eq bootpc
 permit udp any any eq snmp
 permit tcp any any established
 deny   ip any any

 

 

This is what my ISP sent me:

 

Cogent is unable to proactively test the status of your circuit 
(IP Address 38.88.245.170) because it appears that there is a 
universal ICMP block in place.

This can be resolved by blocking all ICMP traffic except from 
the Cogent monitoring IP blocks of 

66.28.3.0/24, 
66.250.250.0/23, 
130.117.228.0/24  and 
130.117.254.0/24 for IPv4 

 

Labels:
0 Helpful
3 Replies 3

luis_cordova
VIP Alumni
VIP Alumni

‎12-21-2018 01:57 PM

Hi @badassmexican,

 

Try adding this to your ACL:

 

ip access-list extended cbac
 permit icmp any any echo
 permit icmp any any echo-reply
 permit tcp any any eq bgp
 permit udp any any eq bootpc
 permit udp any any eq snmp
 permit tcp any any established
 deny   ip any any

Regards

paul driver
VIP
VIP
In response to luis_cordova

‎12-21-2018 02:17 PM - edited ‎12-21-2018 02:22 PM

Hello

Not so sure why would you want to allow an ISP to monitor your rtr - it can do that on a physical level without you allowing them any access?

 

A ISP is there to provide you a service not for you to provide them one.

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

badassmexican
Level 1
Level 1
In response to paul driver

‎12-21-2018 04:24 PM

Yeah, I'm not really sure either.  They don't really offer any support.  If it's working I'm sure I'll know before they do.  This is what they said though:

Unfortunately if Cogent is unable to monitor the IP specified it is impossible for us to honor the Guarantees and Service Credits provided in any Service Level Agreement, Customer Service Agreement or other type of performance level agreement that you currently have with Cogent Communications. More importantly, it makes it impossible for Cogent Support to proactively troubleshoot problems because we have no visibility.

0 Helpful
Customers Also Viewed These Support Documents