02-05-2007 06:15 AM - edited 03-03-2019 03:37 PM
Hi,
What would the access-list be to permit a router to accept ping?
ip access-list extended <name>
permit icmp any any
??
02-05-2007 06:26 AM
Hi
ip access-list extended allowping
permit icmp any any echo
HTH
Jon
02-05-2007 08:41 AM
Brad's proposed access list permitted every kind of icmp and was probably overly broad. Your access list is much more specific and permits only ping.
Be aware that this access list is very restrictive and in a real situation you would need other permit statements in the access list to permit other types of traffic.
HTH
Rick
02-05-2007 08:54 AM
Thanks to you both Jon and Rick. There are other traffic / protocol specific access lists applied. What I am afraid of this is that am I not opening my router up to a ping flood? The router has a private address but I still need to control this right?
02-05-2007 09:12 AM
Brad
There are various opinions about the value of permitting ping and about the danger of permitting ping. I tend to believe that the potential value of ping as a troubleshooting tool makes it worthwhile to permit inbound ping. I know others who react to the potential use of ping in denial of service attacks and deny it.
Probably the answer will depend on where in your network the router is located and how willing you are to give up a useful tool to be (marginally) safer. If the router were the border router at the edge of your network, I might deny inbound ping on its Internet facing interface. I would be inclined to permit ping on the interior facing interfaces.
If you are concerned about the security implications of permitting ping, then perhaps a middle position would be to permit ping whose source address was internal to your network and to deny ping whose source address was external to your network.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide