Showing results for 
Search instead for 
Did you mean: 

Blocking icmp, and allowing www and ssh traffic

I started to train seriously in my lab, preparing CCNA exam, yesterday I played with the ACL, I configured to deny ICMP traffic, but I've tried to set it to default www and ssh, but it did not succeed, I have a 1841 router with 2 host connected, the FA0 / 0 and FA0 / 1, we have 2 linux hosts, my acl look like, are set to host 2 # ip access-pING inbound groups, and I ping from host 1

21 deny icmp eq echo

www and ssh traffic, but I am something wrong: (

3 permit tcp host eq www

4 permit tcp eq 22

CCNA R&S, CCNA Security
6 Replies 6

Sandeep Choudhary
VIP Mentor VIP Mentor
VIP Mentor

Hi ,

you can do like this:

access-list 101 deny icmp any any

access-list 101 permit ip any any

and apply this access group to a interface .


access-list 101 deny icmp any host x.x.x.x

The above ACL will only block ICMP.

Another  important thing is that if you only have the above line, all subsequent  connections are going to be blocked (because there's an implicit deny  everything else at the end of the ACL).

So, if your goal is to deny only ICMP, enter the above line and then:

access-list 101 permit ip any any

Hope it helps.


Please rate if it helps.

Yea, but I want only to allow ssh and www traffic, and deny icmp ping maybe I have problem in my plan

CCNA R&S, CCNA Security

Can you put your topology diagramm here and  then we can try to solve this isse:

just try with above comamnd and try....


Please rate if it helps.

Nothing spacial, 2 hosts and 1 1841 router


                       fa0/1       fa0/0

PC1 =========ROUTER=========PC2

Plan is, from PC 1 test connection (ssh and www) to PC 2, hosts are Linux mashine, on PC 2 I install apache httpd, Router must deny all icmp traffic on fa0/0, but to allow ssh and www, So I hide the machine from the ping, but users may be able to get it serviced (ssh and www only) last line is default everything else will be deny

CCNA R&S, CCNA Security

Try This one:

access-list 110 permit tcp any any eq 22

access-list 110 permit tcp any any eq www


Hi, if I put in access-lists, like last line, after deny icmp, 10 permit tcp any any (without eq ) than will work

5 deny icmp any any echo

10 permit tcp any any

but plan is to allow only ssh i www traffic, I don't know where is problem, when i put line 5, all traffic are blocked

Do you know how can I get massage, host is unreachable, whaen I ping that host ?

I tray permit icmp any any host-unreachable, but same

Have a nice day

CCNA R&S, CCNA Security
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers