Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2239
Views
0
Helpful
6
Replies

Blocking icmp, and allowing www and ssh traffic

Nedeljko Scepanovic
Level 1
Level 1

‎10-11-2012 09:52 PM

I started to train seriously in my lab, preparing CCNA exam, yesterday I played with the ACL, I configured to deny ICMP traffic, but I've tried to set it to default www and ssh, but it did not succeed, I have a 1841 router with 2 host connected, the FA0 / 0 and FA0 / 1, we have 2 linux hosts, my acl look like, are set to host 2 # ip access-pING inbound groups, and I ping from host 1

21 deny icmp 192.168.1.0 0.0.0.255 192.168.64.0 0.0.0.0 eq echo

www and ssh traffic, but I am something wrong: (

3 permit tcp 192.168.1.0 0.0.0.0 host 192.168.64.10 eq www

4 permit tcp 192.168.1.0 0.0.0.0 192.168.64.0 0.0.0.0 eq 22

CCNA R&S, CCNA Security
Labels:
0 Helpful
6 Replies 6

Sandeep Choudhary
VIP Alumni
VIP Alumni

‎10-12-2012 12:30 AM

Hi ,

you can do like this:

access-list 101 deny icmp any any

access-list 101 permit ip any any

and apply this access group to a interface .

or

access-list 101 deny icmp any host x.x.x.x

The above ACL will only block ICMP.

Another  important thing is that if you only have the above line, all subsequent  connections are going to be blocked (because there's an implicit deny  everything else at the end of the ACL).

So, if your goal is to deny only ICMP, enter the above line and then:

access-list 101 permit ip any any

Hope it helps.

Regards

Please rate if it helps.

0 Helpful

Nedeljko Scepanovic
Level 1
Level 1
In response to Sandeep Choudhary

‎10-12-2012 02:22 AM

Yea, but I want only to allow ssh and www traffic, and deny icmp ping maybe I have problem in my plan

CCNA R&S, CCNA Security
0 Helpful

Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to Nedeljko Scepanovic

‎10-12-2012 02:42 AM

Can you put your topology diagramm here and  then we can try to solve this isse:

just try with above comamnd and try....

REgards

Please rate if it helps.

0 Helpful

Nedeljko Scepanovic
Level 1
Level 1
In response to Sandeep Choudhary

‎10-12-2012 03:35 AM

Nothing spacial, 2 hosts and 1 1841 router

diagram 

                       fa0/1       fa0/0

PC1 =========ROUTER=========PC2

Plan is, from PC 1 test connection (ssh and www) to PC 2, hosts are Linux mashine, on PC 2 I install apache httpd, Router must deny all icmp traffic on fa0/0, but to allow ssh and www, So I hide the machine from the ping, but users may be able to get it serviced (ssh and www only) last line is default everything else will be deny

CCNA R&S, CCNA Security
0 Helpful

Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to Nedeljko Scepanovic

‎10-12-2012 04:01 AM

Try This one:

access-list 110 permit tcp any any eq 22

access-list 110 permit tcp any any eq www

Regards

0 Helpful

Nedeljko Scepanovic
Level 1
Level 1
In response to Sandeep Choudhary

‎10-13-2012 06:51 AM

Hi, if I put in access-lists, like last line, after deny icmp, 10 permit tcp any any (without eq ) than will work

5 deny icmp any any echo

10 permit tcp any any

but plan is to allow only ssh i www traffic, I don't know where is problem, when i put line 5, all traffic are blocked

Do you know how can I get massage, host is unreachable, whaen I ping that host ?

I tray permit icmp any any host-unreachable, but same

Have a nice day

CCNA R&S, CCNA Security
0 Helpful
Customers Also Viewed These Support Documents