Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
47428
Views
18
Helpful
3
Replies

how to disable ping to a router

carl_townshend
Spotlight
Spotlight

‎04-18-2011 06:07 AM - edited ‎03-06-2019 04:40 PM

Hi all

Can anyone tell me how I would turn off ping to a router interface, would I create an icmp access list and apply it inbound using the ip of the interface as the destination address?

cheers

Carl

Labels:
0 Helpful
3 Replies 3

Ton V Engelen
Level 3
Level 3

‎04-18-2011 06:14 AM

Hi,

yes, you can create an acl in which you deny icmp and apply it to the outside of the interface.

Dont forget to permit anything that is allowed, on both in and outside.

Something like

ip access-list extended TEST-OUT

deny icmp any any

permit ip any any

ip access-list TEST-IN

permit ip any any

interf Vlan 10

ip access-group TEST-OUT out

ip access-group TEST-IN in

Latchum Naidu
VIP Alumni
VIP Alumni
In response to Ton V Engelen

‎04-18-2011 06:19 AM

Hi,

You can add an access list to your interface going out to the Internet that blocks all ICMP messages, including ping.

Be carefull just stoping ping, by doing this, anyone that pings your public address will see that something is there, just blocking the reply, but they will get an acknowledgment that something is there..


The below one would block ping, but allow all other traffic.

#ip access-list extended STOP_PING
#deny icmp any any
#permit ip any any

then go into your outbound interfaced, and apply the access list with the command,
#$ip access-group STOP_PING in

Just to add.... This would stop ping, but allow ALL OTHER TRAFFIC to cross your outside interface. I recommend gathering some information about what is a typical access list to set up for some basic security...

And also "no ip redirects" in global config mode should turn off ICMP packets


Please rate the helpfull posts.
Regards,
Naidu.

Antonio Knox
Level 7
Level 7
In response to Latchum Naidu

‎04-18-2011 08:34 PM

If I'm understanding your requirement correctly, then you simply want to block ping to the interface (let's say it's fa0/0:10.1.1.1/24).  If you want to do this, and only this, then your acl will look like this:

ip access-list extended BLOCKPING

deny icmp any host 10.1.1.1 eq echo-reply

permit ip any any

int fa0/0

ip access-group BLOCKPING in

This will block ping and ping ONLY (which according to your post is all you asked for).  Using 'deny icmp any any' on an interface in both directions does block ping to the interface, but it also blocks pings,  and any other ICMP messages that may or may not be needed to conduct business, to everything on the network configured to it.  So, in a case like that hosts in the 10.1.1.0/24 network would also not be pingable.

Be careful with the ACLs, being too vague may give you more than you bargain for.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card