Cisco Support Community
Community Member

block icmp

this is my config to stop icmp which is not working

access-list 101 permit ip any any

access-list 101 deny icmp any any

int s0

ip access-group 101 in

ip access-group 101 out

Even after the above config m receving lot of junk icmp

I dont want any icmp packets coming in nor any response given by my router to icmp packets

But i should be able to ping other always

How do i do it...

do i have to set any thing else on ethernet tooo



VIP Purple

Re: block icmp

Hello Ramp.

the access list checks for the first match and then breaks out. In your access list, the first match is to permit any ip packet, so the second line, deny icmp, is never checked. If you change the order of the access list to:

access-list 101 deny icmp any any

access-list 101 permit ip any any

the icmp traffic should be blocked. It is just the way access lists work, if they find a match, they do not look further down in the access list.




Re: block icmp


I agree with what GP said. Reverse the order of the commands in your access-list and it will work fine.

The "ip" part of your "access-list 101 permit ip any any" command includes TCP, UDP, and ICMP protocols. That's how the ICMP traffic was getting through.

If your access-list had been written differently, such as

access-list 101 permit tcp any any

access-list 101 permit udp any any

access-list 101 deny icmp any any

then it would have worked.

It's generally a good idea to put your "deny" commands close to the top of the access-list, to be sure they take precedence over "permits". Just be careful not to deny more than you want to.

Hope this helps.

Edited to add:

If you want to control the type of ICMP traffic that's allowed in and out of the Serial0 interface, you can create two access-lists, one for inbound and the other for outbound traffic.

For example, if you want to be able to ping from your Ethernet LAN through the router and out the serial interface and get replies back, but keep people on the outside from pinging into your Ethernet LAN from the serial side, you could do this:

access-list 102 deny icmp any any echo

access-list 102 permit icmp any any echo-reply

access-list 102 permit ip any any

access-list 103 permit icmp any any echo

access-list 103 deny icmp any any echo-reply

access-list 103 permit ip any any

interface Serial0

ip access-group 102 in

ip access-group 103 out

Note that in access-list 102, the second line that permits the echo-reply is not really needed, since the last line in that access-list permits ip (TCP, UDP, and ICMP) and would also allow it. But sometimes it is useful to list a command anyway; for example, if you want to see whether that specific line is being matched. (You would see this with the "show ip access-list 102" command.)

And access-list 103 could be re-written to put the "deny icmp echo-reply" command first, if you wanted to.

No need to put anything on your Ethernet0 interface, unless you want to. If you wanted to be redundant, you could apply the same ACLs:

interface Ethernet0

ip access-group 102 out

ip access-group 103 in

Note that the direction (in/out) changes, since the traffic being permitted or denied in my example is coming into the router from another direction. In this scenario, you would want to allow your PING echos to enter the router from the LAN side so that they could exit out the Serial0 interface; and you would want to allow the echo-replys to come back.

CreatePlease to create content