04-18-2011 06:07 AM - edited 03-06-2019 04:40 PM
Hi all
Can anyone tell me how I would turn off ping to a router interface, would I create an icmp access list and apply it inbound using the ip of the interface as the destination address?
cheers
Carl
04-18-2011 06:14 AM
Hi,
yes, you can create an acl in which you deny icmp and apply it to the outside of the interface.
Dont forget to permit anything that is allowed, on both in and outside.
Something like
ip access-list extended TEST-OUT
deny icmp any any
permit ip any any
ip access-list TEST-IN
permit ip any any
interf Vlan 10
ip access-group TEST-OUT out
ip access-group TEST-IN in
04-18-2011 06:19 AM
Hi,
You can add an access list to your interface going out to the Internet that blocks all ICMP messages, including ping.
Be carefull just stoping ping, by doing this, anyone that pings your public address will see that something is there, just blocking the reply, but they will get an acknowledgment that something is there..
The below one would block ping, but allow all other traffic.
#ip access-list extended STOP_PING
#deny icmp any any
#permit ip any any
then go into your outbound interfaced, and apply the access list with the command,
#$ip access-group STOP_PING in
Just to add.... This would stop ping, but allow ALL OTHER TRAFFIC to cross your outside interface. I recommend gathering some information about what is a typical access list to set up for some basic security...
And also "no ip redirects" in global config mode should turn off ICMP packets
Please rate the helpfull posts.
Regards,
Naidu.
04-18-2011 08:34 PM
If I'm understanding your requirement correctly, then you simply want to block ping to the interface (let's say it's fa0/0:10.1.1.1/24). If you want to do this, and only this, then your acl will look like this:
ip access-list extended BLOCKPING
deny icmp any host 10.1.1.1 eq echo-reply
permit ip any any
int fa0/0
ip access-group BLOCKPING in
This will block ping and ping ONLY (which according to your post is all you asked for). Using 'deny icmp any any' on an interface in both directions does block ping to the interface, but it also blocks pings, and any other ICMP messages that may or may not be needed to conduct business, to everything on the network configured to it. So, in a case like that hosts in the 10.1.1.0/24 network would also not be pingable.
Be careful with the ACLs, being too vague may give you more than you bargain for.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: