lost telnet access to Router

Answered Question
Jan 3rd, 2010
User Badges:

Hi,

I apply following ACL on router Wan interface


2650(config)#int fa0/0
2650(config-if)#ip access
2650(config-if)#ip access-group 102 in

2650(config)#access-list 102 deny icmp any any echo-reply.


after applying this i lost telnet access to router and also unable to ping it.

can some one explain me why this happened.


i was trying to block ping request to router but in mean time i want to have telnet access to router


thanks

mahesh

Correct Answer by ericn8484_2 about 7 years 4 months ago

Are you trying to block pings to any device into your network or are you trying to block the replies from devices?


Having an ACL of


int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any


Will set it up so if you try pinging anything from inside your network to the outside, replies back to you will be blocked from the ACL. However if someone from the outside world tries to ping you, they will do so with success.


If you want to block pings from the outside world into you then you will want to use the ACL:


int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo

access-list 102 permit ip any any


This will still allow you to ping the outside world as the replies will not be blocked from returning.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ohassairi Sun, 01/03/2010 - 02:20
User Badges:
  • Silver, 250 points or more

any access-list ends with an implicit : deny any any , even if you did not write it.


you wrote :access-list 102 deny icmp any any echo-reply.

this is equal to:

access-list 102 deny icmp any any echo-reply

access-list 102 deny ip any any


so you denied every thing


your acl should be like this:


access-list 102 deny icmp any any echo-reply.

access-list 102 permit ip any any


so you need to add the second line : permit ip any any

mahesh18 Sun, 01/03/2010 - 02:24
User Badges:

Hi

Thanks for reply

So if i add  access-list 102 permit ip any any  then i will be able to access the router by telnet?

correct me if i am wrong that acl will block only ping request to my network and allow telnet to my router?


thanks

mahesh

Kent Heide Sun, 01/03/2010 - 02:50
User Badges:

Yes, but it will allow anything else than icmp. If you're enforcing a strict management policy (which you should, management is critical) than your ACL should look something like this.


ip access-list extended MGMT

permit tcp any any eq 23


line vty 0 4

access-group MGMT in


That is for the VTY line.


If you're slamming it on the interface (and you're not using cbac etc) you'll have to have the permit any any sadly.

mahesh18 Sun, 01/03/2010 - 05:05
User Badges:

Hi Kent,


thanks for the reply.


so in order to have telnet access to router and block the incoming ping to router  i can do the following on wan interface


int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any



thanks

mahesh

Marwan ALshawi Mon, 01/04/2010 - 15:52
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

access-list 102 deny icmp any any echo-reply   -- this line will deny the router from sending replay but it will not deny the incoming echo

access-list 102 permit ip any any


use this to block incoming echo


access-list 102 deny icmp any any echo

access-list 102 permit ip any any


good luck

if helpful Rate

Ganesh Hariharan Sun, 01/03/2010 - 04:10
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi,


Yes it will permit telnet and block icmp !!


Regards

Ganesh.H

Correct Answer
ericn8484_2 Mon, 01/04/2010 - 05:28
User Badges:

Are you trying to block pings to any device into your network or are you trying to block the replies from devices?


Having an ACL of


int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any


Will set it up so if you try pinging anything from inside your network to the outside, replies back to you will be blocked from the ACL. However if someone from the outside world tries to ping you, they will do so with success.


If you want to block pings from the outside world into you then you will want to use the ACL:


int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo

access-list 102 permit ip any any


This will still allow you to ping the outside world as the replies will not be blocked from returning.

danrya Mon, 01/04/2010 - 22:34
User Badges:
  • Bronze, 100 points or more

One more comment, these ACL's aply to ALL ICMP echo-replies, not just from the router.


So, if you apply:

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any


to the outside (WAN) interface, and you try to ping anything on the outside world, it will not reply.


If you apply:

int fa0/0

ip access-group 102 out

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any


It will block you from pinging the router and any other devices on the inside network, because the reply will be blocked on the out bound interface.


For security like this, (i.e. protecting the router or network from DDOS attacks), you should apply the ACL in bound, meaning block the echo-request, not the reply (like the last person said):

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo

access-list 102 permit ip any any

mahesh18 Tue, 01/05/2010 - 02:55
User Badges:

Hi Danry,

Thanks for good explaination


mahesh

mahesh18 Tue, 01/05/2010 - 02:51
User Badges:

Hi Eric

Thanks for great reply .now ping to my inside network is blocked


mahesh

Actions

This Discussion