Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2065
Views
0
Helpful
9
Replies

ICMP disable in Router

Anand Narayana
Level 6
Level 6

‎05-09-2006 05:35 AM - edited ‎03-03-2019 03:08 AM

I wanted to disable ICMP in my internet router from the outside interface(serial interface).which is cisco 1751 router, how do i do that?

Labels:
0 Helpful
9 Replies 9

dsoderstrom
Level 1
Level 1

‎05-09-2006 05:45 AM

Apply a ACL to the serial interface, looking something like this:

access-list 110 permit icmp any any echo-reply

access-list 110 permit icmp any any unreachable

access-list 110 permit icmp any any time-exceeded

access-list 110 deny icmp any any

int s0/0

ip access-group 110 in

BR

Daniel

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to dsoderstrom

‎05-09-2006 05:54 AM

I would add a couple of comments to the good suggestion that Daniel makes.

First is to confirm that if you want to eliminate or deny ICMP then an inbound acl is what you need to use. Second I would emphasize something that is subtly present in Daniel's answer: eliminating ALL ICMP may be counter-productive. There are messages in ICMP that are helpful and you want to let them through (like unreachable and time-exceeded).

Third I would point out that if you apply the acl as Daniel suggests it (inbound on your Internet interface) you will deny all TCP traffic, all UDP traffic, any routing protocols, etc. You need to permit other traffic after you have dealt with ICMP.

HTH

Rick

HTH

Rick
0 Helpful

dsoderstrom
Level 1
Level 1
In response to Richard Burts

‎05-09-2006 06:03 AM

Thanks Rick, for your addition!

Making a ACL for your incomming internet connection it's not a easy thing, check the link below, It's one of many which could give you a hint or two what's good to add to your ACL.

http://www.cisco.com/warp/public/707/tacl.html

BR

Daniel

0 Helpful

Anand Narayana
Level 6
Level 6
In response to Richard Burts

‎05-09-2006 06:18 AM

My requirement is...

i wanted to telnet/ssh this router, but i should not ping this router from the internet.currently what daniel has suggested works fine, but telnet is not happening. also if required i also wanted to access http/https the router.

0 Helpful

dsoderstrom
Level 1
Level 1
In response to Anand Narayana

‎05-09-2006 06:33 AM

Ok, good

If you want SSH access, try adding

permit 110 ip any router-external-ip eq 22

telnet same but eq telnet or 21. I do recommend SSH.

HTTP/HTTPS eq 80 and 443

I hope it helps!

BR

Daniel

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to dsoderstrom

‎05-09-2006 06:54 AM

Daniel

A couple of corrections:

- for SSH it would be permit tcp any router-external-ip eq 22 not permit ip.

- for telnet it would be permit tcp any router-external-ip eq 23 not eq 21.

HTH

Rick

HTH

Rick
0 Helpful

dsoderstrom
Level 1
Level 1
In response to Richard Burts

‎05-09-2006 07:07 AM

Oops my bad.

Thx Rick

BR

Daniel

0 Helpful

Anand Narayana
Level 6
Level 6
In response to dsoderstrom

‎05-10-2006 01:52 AM

actually you have mentioned for a particular router IP where i should be able to telnet or ssh the router, but my requirement, i don't wanted to ping my router, but i should able to telnet or ssh the router from any internet PC

0 Helpful

MIKE DOUGLAS
Level 1
Level 1
In response to Anand Narayana

‎05-10-2006 07:02 AM

I'd suggest you get over the commonly mistaken idea that ICMP is an inherently bad intentioned protocol and that it's supression makes your device invisible. As rburts pointed out there are several necessary error codes provided by icmp : ttl exceeded, fragmentation needed but df set, etc. Furthermore, if you accept ssh from any arbitary host on the internet you're going to expose yourself to incessant login attempts from all the ssh scan bots, which are in no way are dependent on icmp.

0 Helpful
Customers Also Viewed These Support Documents