Access Lists

michael.steiner · ‎08-20-2002

All,

I know this is an easy one, but I am new at this and need some help. I have a cisco 2600 running 12.0.21a and it is the connection between my ISP's router and my network. Currently you can ping it and I would like to prevent it from responding to pings, if you guys think thats advisable?

I have entered the following in conf t mode:

HG-Internet(config)#access-list 101 deny icmp any any echo

HG-Internet(config)#access-list 101 deny icmp any any echo-reply

HG-Internet(config)#^Z

And then did a copy run start.

The problem is I can still ping this thing from anywhere. Do I need to reload the config? or is it my syntax?

Any help would be appreciated.

stphillips · ‎08-20-2002

Did you actually apply the access-list to an interface? I do not see that in the config. If the interface you wanted to apply it to was s0 the config would be

conf t

int s 0

ip access-group 101 in

Hope this helps

michael.steiner · ‎08-20-2002

No I did not apply it to an interface. However I just applied the following to e 0/0

conf t

int e 0/0 ip access-group 101 in

HG-Internet(config)#access-list 101 deny icmp any any echo

HG-Internet(config)#access-list 101 deny icmp any any echo-reply

Then I went to ping it and it was still pingable. What was interesting though was that the other machines and switch with public addresses no longer were accessible either by ping, telnet or vpn connection.

Should an access list such as this be applied to the serial interface? and if so I do not want it to make my other devices unaccessible.

Thanks

stphillips · ‎08-21-2002

If you don't want people to ping from the outside into your network, place the access-list on the interface that connects you to the Internet in this fashion

conf t

int s whatever you are using

ip access-group 101 in

Remember that access-lists have an implied deny everthing at the end so you need to put a permit statement at the end to allow all of the rest of the traffic in. Hope this helps.