02-26-2008 08:58 AM - edited 03-05-2019 09:23 PM
I want to prevent my border routers from responding to pings and traceroutes from outside addresses yet pass ICMP packets if I'm pinging from my internal addresses.
If I apply this ACL to my interface will it do what I need:
access-list 120 deny icmp any host 39.113.22.150 echo
Thanks
Solved! Go to Solution.
02-26-2008 09:43 AM
Hi
The access-list is applied inbound to the outside interface so it will stop any echo requests from outside coming in.
But if you initiate a ping from inside the network then the packet that comes back inbound to the outside interface is not an echo request but an echo reply and you are not blocking echo replies with this access-list.
So in short, yes it will allow you to ping out :)
Jon
02-26-2008 09:38 AM
Hi
access-list 101 deny icmp any any echo
access-list 101 deny icmp any any traceroute
access-list 101 permit ip any any
int fa0/1
ip access-group 101 in
where fa0/1 is the outside interface of your border router.
HTH
Jon
02-26-2008 09:39 AM
Will that allow for me to ping out from my internal network? I thought if the destination of "any" then the outside interface would stop all icmp requests.
02-26-2008 09:43 AM
Hi
The access-list is applied inbound to the outside interface so it will stop any echo requests from outside coming in.
But if you initiate a ping from inside the network then the packet that comes back inbound to the outside interface is not an echo request but an echo reply and you are not blocking echo replies with this access-list.
So in short, yes it will allow you to ping out :)
Jon
02-26-2008 10:13 AM
Thanks for the help.
02-26-2008 11:08 AM
You could also simply use reflexive lists.
ip access-list ext Outbound
permit ip any any reflect ReflexiveList
ip access-list ext Inbound
evaluate ReflexiveList
deny ip any any
Then to apply them to your outside interface:
ip access-group Inbound in
ip access-group Outbound out
That will only allow something back into your network that originated from within your network.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: