Please help with cisco access-list

Discussion in 'Cisco' started by Chris, May 8, 2004.

  1. Chris

    Chris Guest

    Hi experts,

    i want to disable pings from outside, so i made the following access-list,
    but my cisco is still pingable. What did i do wrong ?

    thanks for the input - Chris

    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
    ip route 0.0.0.0 0.0.0.0 Dialer1
    no ip http server
    ip nat inside source list 101 interface Dialer0 overload
    ip nat inside source list 102 interface Dialer1 overload
    !
    access-list 23 permit 150.150.150.0 0.0.0.255
    access-list 101 permit ip any any
    access-list 102 permit ip 150.150.150.0 0.0.0.255 any
    access-list 111 deny ip any any
    access-list 111 deny icmp any any
    access-list 111 deny icmp any any echo
    access-list 111 deny icmp any any echo-reply
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    access-list 111 permit udp any eq bootps any eq bootpc
    access-list 111 permit udp any eq bootps any eq bootps
    access-list 111 permit udp any eq domain any
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit udp any any eq 10000
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit tcp any any eq 139
    access-list 111 permit udp any any eq netbios-ns
    access-list 111 permit udp any any eq netbios-dgm
    access-list 111 permit gre any any
    dialer-list 1 protocol ip permit
    snmp-server engineID local 000000090200000427FCDCCE
    snmp-server community public RO
    snmp-server enable traps tty
    !
    control-plane
    !
    !
     
    Chris, May 8, 2004
    #1
    1. Advertising

  2. In article <409d1fa9$0$15375$4all.nl>,
    Chris <> wrote:
    :i want to disable pings from outside, so i made the following access-list,
    :but my cisco is still pingable. What did i do wrong ?

    :ip nat inside source list 101 interface Dialer0 overload
    :ip nat inside source list 102 interface Dialer1 overload

    :access-list 23 permit 150.150.150.0 0.0.0.255
    :access-list 101 permit ip any any
    :access-list 102 permit ip 150.150.150.0 0.0.0.255 any
    :access-list 111 deny ip any any
    :access-list 111 deny icmp any any
    [...]
    :dialer-list 1 protocol ip permit

    In what you show of your configuration, access-lists 23 and 111 are not
    referenced at all. Simply creating the access-list is not enough:
    you must use "ip access-group 111 in" (or "out" instead of "in")
    in some interface's configuration section.

    If you were to apply access-list 111 then you would block all ip
    traffic. access-list's are evaluated from the beginning towards
    the end, and the evaluation stops as soon as a match is found.
    The first thing you do is deny all ip traffic from anywhere to
    anywhere. That's going to match everything, so the deny is going to
    affect everything, blocking all traffic. access-list processing
    *never* looks "further down in the list" to see if there is some
    exemption. Not under IOS anyhow. [You could do some strange things
    with the 'except' clause on the old 'outbound' command on PIX.]
    --
    So you found your solution
    What will be your last contribution?
    -- Supertramp (Fool's Overture)
     
    Walter Roberson, May 8, 2004
    #2
    1. Advertising

  3. Chris

    Chris Guest

    "Walter Roberson" <-cnrc.gc.ca> schreef in bericht
    news:c7j85n$r37$...
    > In article <409d1fa9$0$15375$4all.nl>,
    > Chris <> wrote:
    > :i want to disable pings from outside, so i made the following

    access-list,
    > :but my cisco is still pingable. What did i do wrong ?
    >
    > :ip nat inside source list 101 interface Dialer0 overload
    > :ip nat inside source list 102 interface Dialer1 overload
    >
    > :access-list 23 permit 150.150.150.0 0.0.0.255
    > :access-list 101 permit ip any any
    > :access-list 102 permit ip 150.150.150.0 0.0.0.255 any
    > :access-list 111 deny ip any any
    > :access-list 111 deny icmp any any
    > [...]
    > :dialer-list 1 protocol ip permit
    >
    > In what you show of your configuration, access-lists 23 and 111 are not
    > referenced at all. Simply creating the access-list is not enough:
    > you must use "ip access-group 111 in" (or "out" instead of "in")
    > in some interface's configuration section.
    >
    > If you were to apply access-list 111 then you would block all ip
    > traffic. access-list's are evaluated from the beginning towards
    > the end, and the evaluation stops as soon as a match is found.
    > The first thing you do is deny all ip traffic from anywhere to
    > anywhere. That's going to match everything, so the deny is going to
    > affect everything, blocking all traffic. access-list processing
    > *never* looks "further down in the list" to see if there is some
    > exemption. Not under IOS anyhow. [You could do some strange things
    > with the 'except' clause on the old 'outbound' command on PIX.]
    > --
    > So you found your solution
    > What will be your last contribution?
    > -- Supertramp (Fool's Overture)



    Hi Walter, thanks for the tips. Here is the complete config, how can i
    disable external pings ? Thanks again !

    !
    username blah blah
    no aaa new-model
    ip subnet-zero
    no ip domain lookup
    !
    !
    ip inspect name myfw cuseeme timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw smtp timeout 3600
    ip inspect name myfw tftp timeout 30
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw h323 timeout 3600
    !
    !
    !
    interface Ethernet0
    ip address 150.150.150.160 255.255.255.0
    ip nat inside
    no ip route-cache
    no keepalive
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    ip nat outside
    no ip route-cache
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 0 8/48
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface Dialer0
    ip address negotiated
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication pap callin
    ppp pap sent-username blah blah
    !
    interface Dialer1
    ip address negotiated
    ip access-group 111 in
    ip mtu 1492
    ip nat outside
    ip inspect myfw out
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication pap callin
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
    ip route 0.0.0.0 0.0.0.0 Dialer1
    no ip http server
    ip nat inside source list 101 interface Dialer0 overload
    ip nat inside source list 102 interface Dialer1 overload
    !
    access-list 23 permit 150.150.150.0 0.0.0.255
    access-list 101 permit ip any any
    access-list 102 permit ip 150.150.150.0 0.0.0.255 any
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    access-list 111 permit udp any eq bootps any eq bootpc
    access-list 111 permit udp any eq bootps any eq bootps
    access-list 111 permit udp any eq domain any
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit udp any any eq 10000
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit tcp any any eq 139
    access-list 111 permit udp any any eq netbios-ns
    access-list 111 permit udp any any eq netbios-dgm
    access-list 111 permit gre any any
    access-list 111 deny ip any any
    dialer-list 1 protocol ip permit
    snmp-server engineID local 000000090200000427FCDCCE
    snmp-server community public RO
    snmp-server enable traps tty
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 120 0
    transport preferred all
    transport output all
    stopbits 1
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    password 7 097A56514D2F1A425A
    login local
    length 0
    transport preferred all
    transport input all
    transport output all
    !
    scheduler max-task-time 5000
    !
    end
     
    Chris, May 8, 2004
    #3
  4. In article <409d3b9f$0$557$4all.nl>,
    Chris <> wrote:
    :Hi Walter, thanks for the tips. Here is the complete config, how can i
    :disable external pings ? Thanks again !

    :interface Dialer0
    : ip address negotiated
    : ip nat outside
    : encapsulation ppp
    : dialer pool 1
    : dialer-group 1
    : ppp authentication pap callin
    : ppp pap sent-username blah blah

    I have not used Dialers before, so I cannot tell without research
    whether Dialer0 or Dialer1 is the interface facing the outside. It
    appears to be Dialer1 ?

    :interface Dialer1

    : ip access-group 111 in

    :access-list 111 permit icmp any any administratively-prohibited
    :access-list 111 permit icmp any any echo
    :access-list 111 permit icmp any any echo-reply

    If that Dialer1 is facing the outside world, then remove the
    access-list 111 permit icmp any any echo
    line in order to disallow people from pinging into your systems.

    :access-list 111 permit tcp any any eq 139
    :access-list 111 permit udp any any eq netbios-ns
    :access-list 111 permit udp any any eq netbios-dgm

    On the other hand, if Dialer1 is facing the outside world, then you
    are allowing Netbios traffic to all of your systems, which is a Bad Thing
    in most cases.

    :access-list 111 deny ip any any

    That's the default, so you can omit it (and anything that might happen
    to be further along in the access-list.)

    --
    I was very young in those days, but I was also rather dim.
    -- Christopher Priest
     
    Walter Roberson, May 8, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    7
    Views:
    3,867
  2. PS2 gamer
    Replies:
    6
    Views:
    7,145
    Hansang Bae
    Jun 9, 2004
  3. Trouble
    Replies:
    2
    Views:
    6,819
  4. paeengi8
    Replies:
    0
    Views:
    843
    paeengi8
    Jun 25, 2007
  5. Southern Kiwi
    Replies:
    6
    Views:
    2,298
    Southern Kiwi
    Mar 19, 2006
Loading...

Share This Page