|
|
|
| I was looking into ACL intensivly and was wondering how would you block the ping commands ?? Would you block it on port 80 or would you write something like this
eq ping
thanks in advance | |
| forbesl 2004-06-17, 1:57 pm |
| quote:
Originally posted by FMZ
I was looking into ACL intensivly and was wondering how would you block the ping commands ?? Would you block it on port 80 or would you write something like this
eq ping
thanks in advance
Well, it would depend on if you wanted to block all pings, or just pings from certain networks/hosts. But, as an example, to deny all ping echos and permit everthing else:
access-list 101 deny icmp any any echo
access-list 101 permit ip any any
It would be applied inbound on the interface closest to the traffic you want filtered.
!!!!! | |
|
| how would you deny ping from certain locations?? Same command? | |
|
| what if you want to deny ping from different host
you would use something like thing
access-list 100 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq echo ?? | |
| forbesl 2004-06-17, 3:08 pm |
| quote:
Originally posted by FMZ
what if you want to deny ping from different host
you would use something like thing
access-list 100 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq echo ??
Not deny tcp, nor is eq used with icmp rules.
It would be:
access-list 100 deny icmp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 echo
This would block icmp echoes from network 192.168.1.0/24 to network 192.168.2.0/24.
..!!! | |
|
| Thanks a bunch, never knew that command.
I got a question though, why echo in the end? | |
| forbesl 2004-06-17, 4:21 pm |
| quote:
Originally posted by FMZ
I got a question though, why echo in the end?
The "echo" in ICMP is a ping request. There are many different types of ICMP messages:
echo-reply (reply to a ping)
time-exceeded
source-quench
unreachables
and a whole buttload more.
Do a search on google and you'll get all kinds of info about ICMP.
!!!!! | |
|
|
| forbesl 2004-06-17, 5:04 pm |
| por nada | |
| Tophat 2004-06-18, 12:03 am |
| good post forbesl. I just wanted to add the link on the cisco website on how to configure cisco access lists.
http://www.cisco.com/warp/public/707/confaccesslists.pdf | |
|
| One more quick question
If you creating the ACL and you deny the unwanted ping on Router B from Router A and Internet, would you block the Serial link IP or the Ethernet interface IP address??
Lets say Serial IP is 173.168.1.2
And E0 IP is 192.168.1.3
Would you create an ACL list like this
1.) access-list 101 deny ICMP any 173.168.1.2 0.0.0.255 echo
or
2.) access-list 101 deny ICMP any 192.168.1.3 0.0.0.255 echo | |
| USHazard 2004-06-23, 5:23 pm |
| If you don't want them to ping the router at all, block the first interface the packet would get to.
Generally, either use a network eg '192.168.1.0 0.0.0.255' or a single ip eg 'host 192.168.1.1' or '192.168.1.1 0.0.0.0' in access lists. Its only a single ip you want in this example though. | |
|
| quote:
If you don't want them to ping the router at all, block the first interface the packet would get to.
Now lets say all the routers are connected through the serial link interface.
So we block 173.168.1.2 ??? | |
| USHazard 2004-06-23, 11:15 pm |
| well, from global config mode
access-list 101 deny icmp any any echo
access-list 101 permit ip any any (whoops forgot this first time)
int x
(where x is the interface that has the link to the place that you want to block pings from, in your example s0) and
ip access-group 101 in |
|
|
|