03-07-2010 12:17 AM - edited 03-04-2019 07:44 AM
I currently have a Cisco 851 router that I recently bought, and I am trying to block inbound ICMP traffic to my Router/LAN.
I recently added these entries into my inbound ACL:
access-list 101 deny icmp any any echo
access-list 101 deny icmp any any redirect
access-list 101 deny icmp any any mask-request
access-list 101 deny icmp any any fragments
However when I ping my WAN IP remotely, I get:
"Destination network unreachable"
Instead of...
"Request Timed Out..." Like I would usually get on my old WRT54GL that was set to block ICMP.
Is there a way to prevent the "network unreachable" messages from going out?
03-07-2010 01:52 AM
Hello Steven,
on what interface have you applied the ACL and in what direction ?
when you say you ping remotely you mean you are pinging from the internet?
Hope to help
Giuseppe
03-07-2010 02:09 AM
The 101 ACL is configured for inbound traffic on my FastEthernet4 interface (WAN interface).
Yes I am pinging from the internet side.
My interfaces are as follows:
(VLAN1) [10.10.0.1]
FastEthernet0
FastEthernet1 <<<< SWITCH PORTS
FastEthernet2
FastEthernet3
FastEthernet4 <<< WAN INTERFACE
fe4 is my outside NAT, and Vlan1 is my inside nat. All my inside hosts share my WAN ip address. Typical router setup for home internet use.
03-07-2010 04:50 AM
Hi,
I'd expect your ACL to block Pings incoming if applied correctly:-(
You might be getting "Network Unreachables" ICMP replies if you were running a trace from another Cisco router - it would be sending UDP instead of ICMP.
Have you tried to configure
no ip unreachables
on your WAN interface?
HTH,
Milan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: