cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2360
Views
4
Helpful
3
Replies

Gateway Router - Blocking Inbound ICMP

Steven Tolzmann
Level 1
Level 1

I currently have a Cisco 851 router that I recently bought, and I am trying to block inbound ICMP traffic to my Router/LAN.

I recently added these entries into my inbound ACL:

access-list 101 deny icmp any any echo
access-list 101 deny icmp any any redirect
access-list 101 deny icmp any any mask-request
access-list 101 deny icmp any any fragments

However when I ping my WAN IP remotely, I get:

"Destination network unreachable"

Instead of...

"Request Timed Out..." Like I would usually get on my old WRT54GL that was set to block ICMP.

Is there a way to prevent the "network unreachable" messages from going out?

3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Steven,

on what interface have you applied the ACL and in what direction ?

when you say you ping remotely you mean you are pinging from the internet?

Hope to help

Giuseppe

The 101 ACL is configured for inbound traffic on my FastEthernet4 interface (WAN interface).

Yes I am pinging from the internet side.

My interfaces are as follows:

(VLAN1) [10.10.0.1]

FastEthernet0

FastEthernet1                 <<<< SWITCH PORTS

FastEthernet2

FastEthernet3

FastEthernet4                <<< WAN INTERFACE

fe4 is my outside NAT, and Vlan1 is my inside nat. All my inside hosts share my WAN ip address. Typical router setup for home internet use.

Hi,

I'd expect your ACL to block Pings incoming if applied correctly:-(

You might be getting "Network Unreachables" ICMP replies if you were running a trace from another Cisco router - it would be sending UDP instead of ICMP.

Have you tried to configure

no ip unreachables

on your WAN interface?

HTH,

Milan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco