lost telnet access to Router

Answered Question
Jan 3rd, 2010

Hi,

I apply following ACL on router Wan interface

2650(config)#int fa0/0
2650(config-if)#ip access
2650(config-if)#ip access-group 102 in

2650(config)#access-list 102 deny icmp any any echo-reply.

after applying this i lost telnet access to router and also unable to ping it.

can some one explain me why this happened.

i was trying to block ping request to router but in mean time i want to have telnet access to router

thanks

mahesh

I have this problem too.
0 votes
Correct Answer by ericn8484_2 about 7 years 3 weeks ago

Are you trying to block pings to any device into your network or are you trying to block the replies from devices?

Having an ACL of

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any

Will set it up so if you try pinging anything from inside your network to the outside, replies back to you will be blocked from the ACL. However if someone from the outside world tries to ping you, they will do so with success.

If you want to block pings from the outside world into you then you will want to use the ACL:

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo

access-list 102 permit ip any any

This will still allow you to ping the outside world as the replies will not be blocked from returning.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ohassairi Sun, 01/03/2010 - 02:20

any access-list ends with an implicit : deny any any , even if you did not write it.

you wrote :access-list 102 deny icmp any any echo-reply.

this is equal to:

access-list 102 deny icmp any any echo-reply

access-list 102 deny ip any any

so you denied every thing

your acl should be like this:

access-list 102 deny icmp any any echo-reply.

access-list 102 permit ip any any

so you need to add the second line : permit ip any any

mahesh18 Sun, 01/03/2010 - 02:24

Hi

Thanks for reply

So if i add  access-list 102 permit ip any any  then i will be able to access the router by telnet?

correct me if i am wrong that acl will block only ping request to my network and allow telnet to my router?

thanks

mahesh

Kent Heide Sun, 01/03/2010 - 02:50

Yes, but it will allow anything else than icmp. If you're enforcing a strict management policy (which you should, management is critical) than your ACL should look something like this.

ip access-list extended MGMT

permit tcp any any eq 23

line vty 0 4

access-group MGMT in

That is for the VTY line.

If you're slamming it on the interface (and you're not using cbac etc) you'll have to have the permit any any sadly.

mahesh18 Sun, 01/03/2010 - 05:05

Hi Kent,

thanks for the reply.

so in order to have telnet access to router and block the incoming ping to router  i can do the following on wan interface

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any

thanks

mahesh

Marwan ALshawi Mon, 01/04/2010 - 15:52

access-list 102 deny icmp any any echo-reply   -- this line will deny the router from sending replay but it will not deny the incoming echo

access-list 102 permit ip any any

use this to block incoming echo

access-list 102 deny icmp any any echo

access-list 102 permit ip any any

good luck

if helpful Rate

Correct Answer
ericn8484_2 Mon, 01/04/2010 - 05:28

Are you trying to block pings to any device into your network or are you trying to block the replies from devices?

Having an ACL of

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any

Will set it up so if you try pinging anything from inside your network to the outside, replies back to you will be blocked from the ACL. However if someone from the outside world tries to ping you, they will do so with success.

If you want to block pings from the outside world into you then you will want to use the ACL:

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo

access-list 102 permit ip any any

This will still allow you to ping the outside world as the replies will not be blocked from returning.

danrya Mon, 01/04/2010 - 22:34

One more comment, these ACL's aply to ALL ICMP echo-replies, not just from the router.

So, if you apply:

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any

to the outside (WAN) interface, and you try to ping anything on the outside world, it will not reply.

If you apply:

int fa0/0

ip access-group 102 out

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any

It will block you from pinging the router and any other devices on the inside network, because the reply will be blocked on the out bound interface.

For security like this, (i.e. protecting the router or network from DDOS attacks), you should apply the ACL in bound, meaning block the echo-request, not the reply (like the last person said):

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo

access-list 102 permit ip any any

mahesh18 Tue, 01/05/2010 - 02:51

Hi Eric

Thanks for great reply .now ping to my inside network is blocked

mahesh

Actions

This Discussion