how to disable ping to a router

Unanswered Question
Apr 18th, 2011

Hi all

Can anyone tell me how I would turn off ping to a router interface, would I create an icmp access list and apply it inbound using the ip of the interface as the destination address?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (5 ratings)
Ton V Engelen Mon, 04/18/2011 - 06:14


yes, you can create an acl in which you deny icmp and apply it to the outside of the interface.

Dont forget to permit anything that is allowed, on both in and outside.

Something like

ip access-list extended TEST-OUT

deny icmp any any

permit ip any any

ip access-list TEST-IN

permit ip any any

interf Vlan 10

ip access-group TEST-OUT out

ip access-group TEST-IN in

Latchum Naidu Mon, 04/18/2011 - 06:19


You can add an access list to your interface going out to the Internet that blocks all ICMP messages, including ping.

Be carefull just stoping ping, by doing this, anyone that pings your public address will see that something is there, just blocking the reply, but they will get an acknowledgment that something is there..

The below one would block ping, but allow all other traffic.

#ip access-list extended STOP_PING
#deny icmp any any
#permit ip any any

then go into your outbound interfaced, and apply the access list with the command,
#$ip access-group STOP_PING in

Just to add.... This would stop ping, but allow ALL OTHER TRAFFIC to cross your outside interface. I recommend gathering some information about what is a typical access list to set up for some basic security...

And also "no ip redirects" in global config mode should turn off ICMP packets

Please rate the helpfull posts.

Antonio Knox Mon, 04/18/2011 - 20:34

If I'm understanding your requirement correctly, then you simply want to block ping to the interface (let's say it's fa0/0:  If you want to do this, and only this, then your acl will look like this:

ip access-list extended BLOCKPING

deny icmp any host eq echo-reply

permit ip any any

int fa0/0

ip access-group BLOCKPING in

This will block ping and ping ONLY (which according to your post is all you asked for).  Using 'deny icmp any any' on an interface in both directions does block ping to the interface, but it also blocks pings,  and any other ICMP messages that may or may not be needed to conduct business, to everything on the network configured to it.  So, in a case like that hosts in the network would also not be pingable.

Be careful with the ACLs, being too vague may give you more than you bargain for.


This Discussion