Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Blocking ICMP from WAN on Cisco 3560

Hi,

I am using Cisco Switch as DMZ Switch. I want to block ICMP packets from internet. Can you please assist me,.

This is what I tried but it didn't work. Do I need to apply this access-list some where ?

ip access-list extended ICMP-CONTROL

remark ***********************

remark ** Permit ICMP Access **

remark **********************

permit icmp host 5.5.5.5 any

deny   icmp any any log

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Blocking ICMP from WAN on Cisco 3560

Hi,

you have to apply the ACL to an interface in in- or outbound direction.

But first you shoud add an permit ip any any because an ACL has an implicit deny any any at the end!

And note that the log option forces a software-processing for those packets, I'd rather leave it out.

Hope that helps

Rolf

6 REPLIES

Re: Blocking ICMP from WAN on Cisco 3560

Hi,

you have to apply the ACL to an interface in in- or outbound direction.

But first you shoud add an permit ip any any because an ACL has an implicit deny any any at the end!

And note that the log option forces a software-processing for those packets, I'd rather leave it out.

Hope that helps

Rolf

New Member

Blocking ICMP from WAN on Cisco 3560

Thanks,

but Allowing permit ip any any will open all ports except icmp. That will make device more insecure or I am wrong at any point ?

Re: Blocking ICMP from WAN on Cisco 3560

That's right but I assume that you want to allow some non-ICMP traffic (from 5.5.5.5) too?

New Member

Re: Blocking ICMP from WAN on Cisco 3560

I want to allow ICMP only from 5.5.5.5 and block for all.

Blocking ICMP from WAN on Cisco 3560

O.K. but what about non-ICMP traffic?

The ACL you've posted allows ICMP from 5.5.5.5 but nothing else.

No other protocols (IP, TCP, UDP, etc.) from no other sources.

Is that what you want?

New Member

Re: Blocking ICMP from WAN on Cisco 3560

Ah, Yes I understand.

And here is working configuration

interface Vlan300

ip access-group ICMP-CONTROL in

ip access-list extended ICMP-CONTROL

permit ip host 5.5.5.5 any

deny   icmp any any

Thanks a lot again.

1450
Views
0
Helpful
6
Replies