Prevent Pings from outside addresses

Answered Question
Feb 26th, 2008
User Badges:

I want to prevent my border routers from responding to pings and traceroutes from outside addresses yet pass ICMP packets if I'm pinging from my internal addresses.


If I apply this ACL to my interface will it do what I need:


access-list 120 deny icmp any host 39.113.22.150 echo


Thanks

Correct Answer by Jon Marshall about 9 years 4 months ago

Hi


The access-list is applied inbound to the outside interface so it will stop any echo requests from outside coming in.


But if you initiate a ping from inside the network then the packet that comes back inbound to the outside interface is not an echo request but an echo reply and you are not blocking echo replies with this access-list.


So in short, yes it will allow you to ping out :)


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Tue, 02/26/2008 - 09:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


access-list 101 deny icmp any any echo

access-list 101 deny icmp any any traceroute

access-list 101 permit ip any any



int fa0/1

ip access-group 101 in


where fa0/1 is the outside interface of your border router.


HTH


Jon


rolandshum Tue, 02/26/2008 - 09:39
User Badges:

Will that allow for me to ping out from my internal network? I thought if the destination of "any" then the outside interface would stop all icmp requests.

Correct Answer
Jon Marshall Tue, 02/26/2008 - 09:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


The access-list is applied inbound to the outside interface so it will stop any echo requests from outside coming in.


But if you initiate a ping from inside the network then the packet that comes back inbound to the outside interface is not an echo request but an echo reply and you are not blocking echo replies with this access-list.


So in short, yes it will allow you to ping out :)


Jon

a.cruea1980 Tue, 02/26/2008 - 11:08
User Badges:
  • Bronze, 100 points or more

You could also simply use reflexive lists.


ip access-list ext Outbound

permit ip any any reflect ReflexiveList


ip access-list ext Inbound

evaluate ReflexiveList

deny ip any any


Then to apply them to your outside interface:

ip access-group Inbound in

ip access-group Outbound out


That will only allow something back into your network that originated from within your network.

Actions

This Discussion