Deny ICMP, Allow SSH

Answered Question
Apr 27th, 2010
User Badges:

Hi, i hava a cisco 2960. I set an acl to block icmp but i can not conect using ssh now.

Correct Answer by Reza Sharifi about 6 years 11 months ago

Hi Damian,


Remember that there is a default deny ip any any at the end of any access list.


So you need to add:

"access-list xxx permit IP any any" at the end of your access list to allow every thing else


HTH

Reza

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Reza Sharifi Tue, 04/27/2010 - 16:38
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Hi Damian,


Remember that there is a default deny ip any any at the end of any access list.


So you need to add:

"access-list xxx permit IP any any" at the end of your access list to allow every thing else


HTH

Reza

Federico Coto F... Tue, 04/27/2010 - 16:40
User Badges:
  • Green, 3000 points or more

Hi,


Perhaps the ACL is not just blocking ICMP.

If the ACL blocks SSH as well, that might be the problem.


Check out that the statement is something like this:


access-list 101 deny icmp any host x.x.x.x


The above ACL will only block ICMP.


Another important thing is that if you only have the above line, all subsequent connections are going to be blocked (because there's an implicit deny everything else at the end of the ACL).


So, if your goal is to deny only ICMP, enter the above line and then:


access-list 101 permit ip any any


Hope it helps.


Federico.

Actions

This Discussion

Related Content