Quick help with access-list to only allow ICMP

Unanswered Question
Sep 10th, 2008
User Badges:

The inside network is

I need to apply an access-l to the inside interface to allow the hosts on this internal network to only access servers on port tcp 9890.

These servers reside on destination network

Also, my second requirement is to only allow these internal network to ping the destination network.

How do I create such access-lists? I know it has to be simple for you guys, so please excuse the basics.

thanks in advanced

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
robertson.michael Wed, 09/10/2008 - 10:32
User Badges:
  • Silver, 250 points or more

Hi Angel,

The statements you want will look something like this:

access-list inside-access-out permit tcp eq 9890

access-list inside-access-out permit icmp echo-request

access-group inside-access-out in interface inside

With these commands, only TCP/9890 and ping traffic will be allowed from your internal hosts to the servers. All other traffic will be denied.

For the ICMP portion of your requirements, you will also need to either enable ICMP inspection, or allow echo replies on an access-list applied to the interface that the resides off of.

Hope that helps.


insccisco Wed, 09/10/2008 - 10:48
User Badges:

My apologies for not specifying the platform but I have a router. I believe these statements are for a PIX.

I just tried applying them anyways but they are different, for example, the PIX is not taking the subnet mask in that format, I think it wants wild cards.

Also, I checked the commands for the echo-request portion and nothing found.

So the IOS is different than the PIX.

please help

acomiskey Wed, 09/10/2008 - 10:53
User Badges:
  • Green, 3000 points or more

access-list 100 permit tcp eq 9890

access-list 100 permit icmp echo


ip access-group 100 in

insccisco Wed, 09/10/2008 - 11:00
User Badges:

great. thanks for the help guys.

I just applied these 2 statements and no luck.

As soon as I take it out, ping works.

I also added a 3rd line, access-list 100 permit icmp echo-reply and no luck either.

insccisco Wed, 09/10/2008 - 11:05
User Badges:

can anyone please help?

once again, the ping does not work every time I apply the access list to the inside interface

acomiskey Wed, 09/10/2008 - 11:11
User Badges:
  • Green, 3000 points or more

Is this applied to the right interface. Could we see more of your config? Is there an access list on the outside interface that would be blocking the echo-reply?


This Discussion