Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ICMP disable in Router

I wanted to disable ICMP in my internet router from the outside interface(serial interface).which is cisco 1751 router, how do i do that?

9 REPLIES
New Member

Re: ICMP disable in Router

Apply a ACL to the serial interface, looking something like this:

access-list 110 permit icmp any any echo-reply

access-list 110 permit icmp any any unreachable

access-list 110 permit icmp any any time-exceeded

access-list 110 deny icmp any any

int s0/0

ip access-group 110 in

BR

Daniel

Hall of Fame Super Silver

Re: ICMP disable in Router

I would add a couple of comments to the good suggestion that Daniel makes.

First is to confirm that if you want to eliminate or deny ICMP then an inbound acl is what you need to use. Second I would emphasize something that is subtly present in Daniel's answer: eliminating ALL ICMP may be counter-productive. There are messages in ICMP that are helpful and you want to let them through (like unreachable and time-exceeded).

Third I would point out that if you apply the acl as Daniel suggests it (inbound on your Internet interface) you will deny all TCP traffic, all UDP traffic, any routing protocols, etc. You need to permit other traffic after you have dealt with ICMP.

HTH

Rick

New Member

Re: ICMP disable in Router

Thanks Rick, for your addition!

Making a ACL for your incomming internet connection it's not a easy thing, check the link below, It's one of many which could give you a hint or two what's good to add to your ACL.

http://www.cisco.com/warp/public/707/tacl.html

BR

Daniel

Re: ICMP disable in Router

My requirement is...

i wanted to telnet/ssh this router, but i should not ping this router from the internet.currently what daniel has suggested works fine, but telnet is not happening. also if required i also wanted to access http/https the router.

New Member

Re: ICMP disable in Router

Ok, good

If you want SSH access, try adding

permit 110 ip any router-external-ip eq 22

telnet same but eq telnet or 21. I do recommend SSH.

HTTP/HTTPS eq 80 and 443

I hope it helps!

BR

Daniel

Hall of Fame Super Silver

Re: ICMP disable in Router

Daniel

A couple of corrections:

- for SSH it would be permit tcp any router-external-ip eq 22 not permit ip.

- for telnet it would be permit tcp any router-external-ip eq 23 not eq 21.

HTH

Rick

New Member

Re: ICMP disable in Router

Oops my bad.

Thx Rick

BR

Daniel

Re: ICMP disable in Router

actually you have mentioned for a particular router IP where i should be able to telnet or ssh the router, but my requirement, i don't wanted to ping my router, but i should able to telnet or ssh the router from any internet PC

New Member

Re: ICMP disable in Router

I'd suggest you get over the commonly mistaken idea that ICMP is an inherently bad intentioned protocol and that it's supression makes your device invisible. As rburts pointed out there are several necessary error codes provided by icmp : ttl exceeded, fragmentation needed but df set, etc. Furthermore, if you accept ssh from any arbitary host on the internet you're going to expose yourself to incessant login attempts from all the ssh scan bots, which are in no way are dependent on icmp.

441
Views
0
Helpful
9
Replies
CreatePlease login to create content