how to disable ping to a router

Unanswered Question
Apr 18th, 2011

Hi all

Can anyone tell me how I would turn off ping to a router interface, would I create an icmp access list and apply it inbound using the ip of the interface as the destination address?

cheers

Carl

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3.7 (5 ratings)
ton_vanengelen Mon, 04/18/2011 - 06:14

Hi,

yes, you can create an acl in which you deny icmp and apply it to the outside of the interface.

Dont forget to permit anything that is allowed, on both in and outside.

Something like

ip access-list extended TEST-OUT

deny icmp any any

permit ip any any

ip access-list TEST-IN

permit ip any any

interf Vlan 10

ip access-group TEST-OUT out

ip access-group TEST-IN in

naiduccnp Mon, 04/18/2011 - 06:19

Hi,

You can add an access list to your interface going out to the Internet that blocks all ICMP messages, including ping.

Be carefull just stoping ping, by doing this, anyone that pings your public address will see that something is there, just blocking the reply, but they will get an acknowledgment that something is there..


The below one would block ping, but allow all other traffic.

#ip access-list extended STOP_PING
#deny icmp any any
#permit ip any any

then go into your outbound interfaced, and apply the access list with the command,
#$ip access-group STOP_PING in

Just to add.... This would stop ping, but allow ALL OTHER TRAFFIC to cross your outside interface. I recommend gathering some information about what is a typical access list to set up for some basic security...

And also "no ip redirects" in global config mode should turn off ICMP packets


Please rate the helpfull posts.
Regards,
Naidu.

Antonio Knox Mon, 04/18/2011 - 20:34

If I'm understanding your requirement correctly, then you simply want to block ping to the interface (let's say it's fa0/0:10.1.1.1/24).  If you want to do this, and only this, then your acl will look like this:

ip access-list extended BLOCKPING

deny icmp any host 10.1.1.1 eq echo-reply

permit ip any any

int fa0/0

ip access-group BLOCKPING in

This will block ping and ping ONLY (which according to your post is all you asked for).  Using 'deny icmp any any' on an interface in both directions does block ping to the interface, but it also blocks pings,  and any other ICMP messages that may or may not be needed to conduct business, to everything on the network configured to it.  So, in a case like that hosts in the 10.1.1.0/24 network would also not be pingable.

Be careful with the ACLs, being too vague may give you more than you bargain for.

Actions

Login or Register to take actions

This Discussion

Posted April 18, 2011 at 6:07 AM
Stats:
Replies:3 Avg. Rating:3.66667
Views:6406 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 14,997
2 8,150
3 7,720
4 7,078
5 6,710
Rank Username Points
200
80
59
57
57