cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1749
Views
0
Helpful
10
Replies

lost telnet access to Router

mahesh18
Level 6
Level 6

Hi,

I apply following ACL on router Wan interface

2650(config)#int fa0/0
2650(config-if)#ip access
2650(config-if)#ip access-group 102 in

2650(config)#access-list 102 deny icmp any any echo-reply.

after applying this i lost telnet access to router and also unable to ping it.

can some one explain me why this happened.

i was trying to block ping request to router but in mean time i want to have telnet access to router

thanks

mahesh

1 Accepted Solution

Accepted Solutions

Are you trying to block pings to any device into your network or are you trying to block the replies from devices?

Having an ACL of

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any

Will set it up so if you try pinging anything from inside your network to the outside, replies back to you will be blocked from the ACL. However if someone from the outside world tries to ping you, they will do so with success.

If you want to block pings from the outside world into you then you will want to use the ACL:

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo

access-list 102 permit ip any any

This will still allow you to ping the outside world as the replies will not be blocked from returning.

View solution in original post

10 Replies 10

ohassairi
Level 5
Level 5

any access-list ends with an implicit : deny any any , even if you did not write it.

you wrote :access-list 102 deny icmp any any echo-reply.

this is equal to:

access-list 102 deny icmp any any echo-reply

access-list 102 deny ip any any

so you denied every thing

your acl should be like this:

access-list 102 deny icmp any any echo-reply.

access-list 102 permit ip any any

so you need to add the second line : permit ip any any

Hi

Thanks for reply

So if i add  access-list 102 permit ip any any  then i will be able to access the router by telnet?

correct me if i am wrong that acl will block only ping request to my network and allow telnet to my router?

thanks

mahesh

Yes, but it will allow anything else than icmp. If you're enforcing a strict management policy (which you should, management is critical) than your ACL should look something like this.

ip access-list extended MGMT

permit tcp any any eq 23

line vty 0 4

access-group MGMT in

That is for the VTY line.

If you're slamming it on the interface (and you're not using cbac etc) you'll have to have the permit any any sadly.

Hi Kent,

thanks for the reply.

so in order to have telnet access to router and block the incoming ping to router  i can do the following on wan interface

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any

thanks

mahesh

access-list 102 deny icmp any any echo-reply   -- this line will deny the router from sending replay but it will not deny the incoming echo

access-list 102 permit ip any any

use this to block incoming echo

access-list 102 deny icmp any any echo

access-list 102 permit ip any any

good luck

if helpful Rate

Hi,

Yes it will permit telnet and block icmp !!

Regards

Ganesh.H

Are you trying to block pings to any device into your network or are you trying to block the replies from devices?

Having an ACL of

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any

Will set it up so if you try pinging anything from inside your network to the outside, replies back to you will be blocked from the ACL. However if someone from the outside world tries to ping you, they will do so with success.

If you want to block pings from the outside world into you then you will want to use the ACL:

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo

access-list 102 permit ip any any

This will still allow you to ping the outside world as the replies will not be blocked from returning.

One more comment, these ACL's aply to ALL ICMP echo-replies, not just from the router.

So, if you apply:

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any

to the outside (WAN) interface, and you try to ping anything on the outside world, it will not reply.

If you apply:

int fa0/0

ip access-group 102 out

access-list 102 deny icmp any any echo-reply

access-list 102 permit ip any any

It will block you from pinging the router and any other devices on the inside network, because the reply will be blocked on the out bound interface.

For security like this, (i.e. protecting the router or network from DDOS attacks), you should apply the ACL in bound, meaning block the echo-request, not the reply (like the last person said):

int fa0/0

ip access-group 102 in

access-list 102 deny icmp any any echo

access-list 102 permit ip any any

Hi Danry,

Thanks for good explaination

mahesh

Hi Eric

Thanks for great reply .now ping to my inside network is blocked

mahesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: