Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
327
Views
0
Helpful
1
Replies

Easy one I can still ping this router...why?????

agrayson
Level 1
Level 1

‎09-30-2004 09:51 AM - edited ‎03-09-2019 08:57 AM

I can still ping from the internet...I ahve removed and reapplied acl but still the same...it is something stupid and simple

no ip source-route

no service tcp-small-servers

no service udp-small-servers

no service finger

no ip bootp server

no ip http server

no access-list 110

no access-list 111

no access-list 112

access-list 110 deny icmp any any

access-list 110 permit ip any any

access-list 111 deny ip 192.168.0.0 0.0.255.255 any

access-list 111 deny ip 172.16.0.0 0.15.255.255 any

access-list 111 deny ip 10.0.0.0 0.255.255.255 any

access-list 111 deny ip 127.0.0.0 0.255.255.255 any

access-list 111 deny ip 255.0.0.0 0.255.255.255 any

access-list 111 deny ip 224.0.0.0 7.255.255.255 any

access-list 111 deny ip host 0.0.0.0 any

access-list 111 deny tcp any host 63.243.59.138 eq telnet

access-list 111 deny tcp any host 199.72.86.178 eq telnet

access-list 111 permit ip any any

access-list 112 permit ip 199.72.86.0 0.0.0.255 any

access-list 112 permit ip 192.168.0.0 0.0.255.255 any

access-list 112 permit ip any any

interface serial 0/0.1

ip access-group 110 out

ip access-group 111 in

exit

interface fastethernet 0/1

ip access-group 112 in

exit

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎09-30-2004 10:25 AM

When you say you can ping from the internet, I assume that you are talking about traffic on the serial 0/0.1 interface rather than the fastethernet interface.

On the serial interface you have access-group 111 in to examine the inbound traffic. Nothing in the inbound list does anything specific with ICMP so the permit ip any any will allow the ping in. You have access-group 110 out on the serial interface. This access list will deny ICMp. However one aspect of outbound access lists is that they can not filter packets which are generated by the router. So you can not filter the ping response that the router generates.

This explains why you can ping the router interface. This configuration would prevent ping to anything behind the router from the internet but would not prevent ping to the router itself.

On a side note, deny icmp any any is pretty broad and I ask anyone thinking about doing this to be sure that is what they really want to do. While there are some things that you may want to prevent (like ping) from the Internet, there are many very useful things in ICMP which you might want. Without ICMP TTL exceeded your attempt to traceroute will not work. Without ICMP Fragmentation Required but DF Set Path MTU Discovery is broken and your user attempts to access some Web resources may have problems. So I suggest that you think about the specific things you may want to deny, but do not just deny ICMP.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents