Blocking ICMP

Unanswered Question
Nov 9th, 2009


Is it sufficient to apply the following statement,

deny ip any

if I want to block PINGs to the subnet? Or do I have to use

deny icmp any

I am under the impression that the keyword "ip" in the ACL statement is all-encompassing. But that the "icmp" keyword comes in handy if, say, you want to deny icmp, but then allow all other IP traffic


deny icmp any any

permit ip any any

My lab is down, cant try it out now.

Can anyone please do so for me?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Jerry Ye Mon, 11/09/2009 - 18:51

If you want to block PING to, you can just do deny icmp any eq echo.

If you use deny ip any, this will block ALL IP traffic.



ex-engineer Mon, 11/09/2009 - 19:01

Thank you, Jerry..

I understand what denying ip any any means in terms of denying all traffic.

My question is specifically about ICMP, though.


"deny ip any"

block icmp pings? Yes or no? ( I know it will block other ip traffic, but will it ALSO block icmp pings, too?)

In other words, if I want to block ALL traffic, INCLUDING ICMP, is the "ip" keyword sufficient??


ex-engineer Mon, 11/09/2009 - 19:40

Thank you...please dont be offended, but its important..

are you 125% sure? :-)


Joseph W. Doherty Mon, 11/09/2009 - 20:23

Since ICMP is part of the IP protocol suite, it should block pings, and all other IP traffic, to destination, as noted by Jerry.


Do note, Jerry noted

"deny ip any"

rather than your OP's

"deny ip any"


This Discussion