cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
950
Views
0
Helpful
4
Replies

ACLs and ping and Telnet

dcoronel
Level 1
Level 1

Is there a way to deny host A from pinging host B while allowing host B to ping host A using standard ACLs?

And also, is there also a way to deny host A from telneting to host B while allowing host B to telnet into host A using extended ACLs?

4 Replies 4

daniel.bowen
Level 1
Level 1

On host A: (assume host A IP is 10.1.1.1 & host B IP is 20.1.1.1)

access-list 101 deny tcp host 10.1.1.1 host 20.1.1.1 eq icmp

access-list 101 permit ip host 10.1.1.1 host 20.1.1.1

If this is applied to Router A then ICMP access from Host A will be denied, but all other traffic will be permitted.

Remember that both hosts must be seperated by the router, if they are both on the same subnet then the router won't come into play

Hope this has helped

Daniel,

ralphcarey
Level 1
Level 1

You can't deny just ping traffic with a standard access list, it is all or nothing.

Also, the extended ACL to allow the one-way telneting would be:

access-l 100 deny tcp host A host B eq telnet

access-l 100 permit ip any any

assuming you have a configuration something like hostA - rtr - hostB then access-l 100 should be put on the inbound interface closest to hostA.

This would stop the telnet traffic from A to B because the the source address is A, destination address B and destination port is telnet (23). It would have no effect on telnet from B to A because the access-l is inbound and there would not be a match on source & destination addresses anyway.

Gilles Dufour
Cisco Employee
Cisco Employee

The previous 2 answers are completely wrong.

First, icmp does not use TCP. So, the access-list 'acc 101 deny tcp .. eq icmp' is a BIG mistake.

Then, yes you can achieve what you want. Just filter icmp echo packet but not echo reply.

ie:

acc 101 deny icmp host A host B echo

acc 101 permit ip any any

For telnet, you would do :

acc 101 deny tcp host A host B eq telnet

acc 101 permit ip any any

gdufour

Perhaps you could, for the benefit of the rest of the universe, point out the 'wrong' part of my answer.

I did not suggest a solution for ping because the question was about preventing pings with a standard ACL, not the extended ACL that you propose.

The solution for preventing telnet is the same as you have suggested.

Obviously ICMP does not use tcp, I did not suggest otherwise.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco