Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need Access List Help Please

Would any Cisco experts be able to lend a hand with the following ACL requirements that I need to implement on a Cisco router at work?

1. Block all inbound ICMP messages with the exception of Echo Reply (type 0), and Time Exceeded (type 11). ICMP message number 3, code 4, are permitted inbound with the following exception: Must be denied from external access gateway (AG) addresses, otherwise permitted.

2. Also block outbound ICMP traffic message types except Echo Request (type 8), Parameter Problem (type 12), and Source Quench (type 4) Destination Unreachable - Fragmentation Needed and Don't Fragment was Set (type3, code 4).

3. Also block all inbound traceroutes to prevent network discovery by unauthorized users.

Thanks for any help!

Hall of Fame Super Blue

Re: Need Access List Help Please


Couple of points.

1) ICMP based traceroute will be blocked by your inbound access-list as there is a general deny icmp any any catchall in there.

2) For this example I have allocated the address as the external access gateway.

3) I have used any any in the access-lists. You can obviously narrow this down if you want.

4)I have included a "permit ip any any" at the end of each access-list as there is an implicit deny so all non-icmp traffic would be blocked without this.

5) Destination unreachable is actually 3 - host/network/port unreachable. I've permitted them all.

Inbound access-list


ip access-list extended icmptypes_in

10 permit icmp any any echo-reply

20 permit icmp any any time-exceeded

30 deny icmp host any packet-too-big

40 permit icmp any any packet-too-big

50 deny icmp any any

60 permit ip any any

Interface config mode:-


ip access-group icmptypes_in in

Outbound access-list


ip access-list extended icmptypes_out

10 permit icmp any any echo

20 permit icmp any any parameter-problem

30 permit icmp any any source-quench

40 permit icmp any any packet-too-big

50 permit icmp any any host-unreachable

60 permit icmp any any net-unreachable

70 permit icmp any any port-unreachable

80 deny icmp any any

90 permit ip any any

interface config mode:-


ip access-group icmptypes_out out