12-17-2003 04:46 AM - edited 03-02-2019 12:24 PM
this is my config to stop icmp which is not working
access-list 101 permit ip any any
access-list 101 deny icmp any any
int s0
ip access-group 101 in
ip access-group 101 out
Even after the above config m receving lot of junk icmp
I dont want any icmp packets coming in nor any response given by my router to icmp packets
But i should be able to ping other always
How do i do it...
do i have to set any thing else on ethernet tooo
regds
Ramp
12-17-2003 05:06 AM
Hello Ramp.
the access list checks for the first match and then breaks out. In your access list, the first match is to permit any ip packet, so the second line, deny icmp, is never checked. If you change the order of the access list to:
access-list 101 deny icmp any any
access-list 101 permit ip any any
the icmp traffic should be blocked. It is just the way access lists work, if they find a match, they do not look further down in the access list.
HTH,
GP
12-17-2003 02:34 PM
Ramp,
I agree with what GP said. Reverse the order of the commands in your access-list and it will work fine.
The "ip" part of your "access-list 101 permit ip any any" command includes TCP, UDP, and ICMP protocols. That's how the ICMP traffic was getting through.
If your access-list had been written differently, such as
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 deny icmp any any
then it would have worked.
It's generally a good idea to put your "deny" commands close to the top of the access-list, to be sure they take precedence over "permits". Just be careful not to deny more than you want to.
Hope this helps.
Edited to add:
If you want to control the type of ICMP traffic that's allowed in and out of the Serial0 interface, you can create two access-lists, one for inbound and the other for outbound traffic.
For example, if you want to be able to ping from your Ethernet LAN through the router and out the serial interface and get replies back, but keep people on the outside from pinging into your Ethernet LAN from the serial side, you could do this:
access-list 102 deny icmp any any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit ip any any
access-list 103 permit icmp any any echo
access-list 103 deny icmp any any echo-reply
access-list 103 permit ip any any
interface Serial0
ip access-group 102 in
ip access-group 103 out
Note that in access-list 102, the second line that permits the echo-reply is not really needed, since the last line in that access-list permits ip (TCP, UDP, and ICMP) and would also allow it. But sometimes it is useful to list a command anyway; for example, if you want to see whether that specific line is being matched. (You would see this with the "show ip access-list 102" command.)
And access-list 103 could be re-written to put the "deny icmp echo-reply" command first, if you wanted to.
No need to put anything on your Ethernet0 interface, unless you want to. If you wanted to be redundant, you could apply the same ACLs:
interface Ethernet0
ip access-group 102 out
ip access-group 103 in
Note that the direction (in/out) changes, since the traffic being permitted or denied in my example is coming into the router from another direction. In this scenario, you would want to allow your PING echos to enter the router from the LAN side so that they could exit out the Serial0 interface; and you would want to allow the echo-replys to come back.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide