Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACLs and ping and Telnet

Is there a way to deny host A from pinging host B while allowing host B to ping host A using standard ACLs?

And also, is there also a way to deny host A from telneting to host B while allowing host B to telnet into host A using extended ACLs?

4 REPLIES
New Member

Re: ACLs and ping and Telnet

On host A: (assume host A IP is 10.1.1.1 & host B IP is 20.1.1.1)

access-list 101 deny tcp host 10.1.1.1 host 20.1.1.1 eq icmp

access-list 101 permit ip host 10.1.1.1 host 20.1.1.1

If this is applied to Router A then ICMP access from Host A will be denied, but all other traffic will be permitted.

Remember that both hosts must be seperated by the router, if they are both on the same subnet then the router won't come into play

Hope this has helped

Daniel,

New Member

Re: ACLs and ping and Telnet

You can't deny just ping traffic with a standard access list, it is all or nothing.

Also, the extended ACL to allow the one-way telneting would be:

access-l 100 deny tcp host A host B eq telnet

access-l 100 permit ip any any

assuming you have a configuration something like hostA - rtr - hostB then access-l 100 should be put on the inbound interface closest to hostA.

This would stop the telnet traffic from A to B because the the source address is A, destination address B and destination port is telnet (23). It would have no effect on telnet from B to A because the access-l is inbound and there would not be a match on source & destination addresses anyway.

Cisco Employee

Re: ACLs and ping and Telnet

The previous 2 answers are completely wrong.

First, icmp does not use TCP. So, the access-list 'acc 101 deny tcp .. eq icmp' is a BIG mistake.

Then, yes you can achieve what you want. Just filter icmp echo packet but not echo reply.

ie:

acc 101 deny icmp host A host B echo

acc 101 permit ip any any

For telnet, you would do :

acc 101 deny tcp host A host B eq telnet

acc 101 permit ip any any

New Member

Re: ACLs and ping and Telnet

gdufour

Perhaps you could, for the benefit of the rest of the universe, point out the 'wrong' part of my answer.

I did not suggest a solution for ping because the question was about preventing pings with a standard ACL, not the extended ACL that you propose.

The solution for preventing telnet is the same as you have suggested.

Obviously ICMP does not use tcp, I did not suggest otherwise.

319
Views
0
Helpful
4
Replies
CreatePlease to create content