Gateway Router - Blocking Inbound ICMP

Unanswered Question
Mar 7th, 2010
User Badges:

I currently have a Cisco 851 router that I recently bought, and I am trying to block inbound ICMP traffic to my Router/LAN.

I recently added these entries into my inbound ACL:

access-list 101 deny icmp any any echo
access-list 101 deny icmp any any redirect
access-list 101 deny icmp any any mask-request
access-list 101 deny icmp any any fragments

However when I ping my WAN IP remotely, I get:

"Destination network unreachable"

Instead of...

"Request Timed Out..." Like I would usually get on my old WRT54GL that was set to block ICMP.

Is there a way to prevent the "network unreachable" messages from going out?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Giuseppe Larosa Sun, 03/07/2010 - 01:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Steven,

on what interface have you applied the ACL and in what direction ?

when you say you ping remotely you mean you are pinging from the internet?

Hope to help


Steven Tolzmann Sun, 03/07/2010 - 02:09
User Badges:

The 101 ACL is configured for inbound traffic on my FastEthernet4 interface (WAN interface).

Yes I am pinging from the internet side.

My interfaces are as follows:

(VLAN1) []


FastEthernet1                 <<<< SWITCH PORTS



FastEthernet4                <<< WAN INTERFACE

fe4 is my outside NAT, and Vlan1 is my inside nat. All my inside hosts share my WAN ip address. Typical router setup for home internet use.

milan.kulik Sun, 03/07/2010 - 04:50
User Badges:
  • Red, 2250 points or more


I'd expect your ACL to block Pings incoming if applied correctly:-(

You might be getting "Network Unreachables" ICMP replies if you were running a trace from another Cisco router - it would be sending UDP instead of ICMP.

Have you tried to configure

no ip unreachables

on your WAN interface?




This Discussion