cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2454
Views
5
Helpful
5
Replies

Prevent Pings from outside addresses

rolandshum
Level 1
Level 1

I want to prevent my border routers from responding to pings and traceroutes from outside addresses yet pass ICMP packets if I'm pinging from my internal addresses.

If I apply this ACL to my interface will it do what I need:

access-list 120 deny icmp any host 39.113.22.150 echo

Thanks

1 Accepted Solution

Accepted Solutions

Hi

The access-list is applied inbound to the outside interface so it will stop any echo requests from outside coming in.

But if you initiate a ping from inside the network then the packet that comes back inbound to the outside interface is not an echo request but an echo reply and you are not blocking echo replies with this access-list.

So in short, yes it will allow you to ping out :)

Jon

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

Hi

access-list 101 deny icmp any any echo

access-list 101 deny icmp any any traceroute

access-list 101 permit ip any any

int fa0/1

ip access-group 101 in

where fa0/1 is the outside interface of your border router.

HTH

Jon

Will that allow for me to ping out from my internal network? I thought if the destination of "any" then the outside interface would stop all icmp requests.

Hi

The access-list is applied inbound to the outside interface so it will stop any echo requests from outside coming in.

But if you initiate a ping from inside the network then the packet that comes back inbound to the outside interface is not an echo request but an echo reply and you are not blocking echo replies with this access-list.

So in short, yes it will allow you to ping out :)

Jon

Thanks for the help.

You could also simply use reflexive lists.

ip access-list ext Outbound

permit ip any any reflect ReflexiveList

ip access-list ext Inbound

evaluate ReflexiveList

deny ip any any

Then to apply them to your outside interface:

ip access-group Inbound in

ip access-group Outbound out

That will only allow something back into your network that originated from within your network.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: