Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5558
Views
25
Helpful
6
Replies

How can I deny ping access in one direction, but not the other? (PKT)

Go to solution
Matt N
Level 1
Level 1

‎12-07-2021 07:38 AM - edited ‎12-07-2021 07:39 AM

Hi,

Sorry to bother you all, but I'm having some issues with a network I'm building in Cisco Packet Tracer.

 

In my network, I need to be able to deny ping access from one direction, but not the other. (So for instance, in my network, I need for the group of systems with IP address 192.168.102.0 to be blocked from accessing the group of systems with IP address 192.168.101.0, but not vice versa; 192.168.101.0 must still be able to ping 192.168.102.0, but 192.168.102.0 must not be able to ping 192.168.101.0).

 

I initially tried doing this using access lists on the Master Router, but that did not work at all; packets were still able to ping in both directions even when I added the access list to a particular interface.

 

I then tried the IPv4 Firewall tab on the Desktop of each system within the group, and while that was very good at stopping access in one direction, it also completely stopped pinging in the other direction too, even if I allowed ping access from the sender IP address group on the receiving system.

 

Does anyone know what my issue might be? And what should I do in order to rectify it (should I use access lists or IPv4 Firewall?)? Any help would be much appreciated; I've integrated my Cisco Packet Tracer file within a zip folder to give you some idea of what I'm working with here.

Labels:
Forest Park School Network Packet Tracer File.zip
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎12-07-2021 08:48 AM

It should be fairly straightforward to prevent ping from 192.168.102.0 to 192.168.101.0. Configure an extended access list and apply the access list inbound on the router/switch interface where 192.168.102.0 is connected. In the access list the first statement should deny icmp echo-request where source is 109.168.102.0 and destination is 192.168.101.0. The second statement in the access list should permit ip traffic where source is 192.168.102.0 and destination is any. 

This would prevent ping request from 192.168.102.0 to 192.168.101.0 and would not impact ping request from 192.168.101.0 to 192.168.102.0 and not impact ping response from 192.168.102.0 to 192.168.101.0.

HTH

Rick

View solution in original post

Go to solution
Martin L
VIP
VIP

‎12-07-2021 08:52 AM

 

have you tried Extended ACL ? Extended acl let you choose direction (source/destination) as well as protocol type (icmp, tcp, udep, etc); Also, placement and direction is important.  Standard acl should be placed near destination while Ext. acl near source.  Use ? with commands to see all options.

this one is tricky so i will attach my solution ( of course this may have 2 solutions or more)

 

Regards, ML
**Please Rate All Helpful Responses **

View solution in original post

Forest Park School Network.fix1.zip

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Richard Burts

‎12-07-2021 09:27 AM

BTW, what @Richard Burts suggests is a belt and suspenders approach (and is fully correct).  Just wanted to note that if you block ping requests in one direction, there should be no ping replies in the other.

Also, you might just block ping replies in one direction.  The latter might be used if you didn't have access to the "other side" to block ping requests.

View solution in original post

Go to solution
paul driver
VIP
VIP

‎12-08-2021 12:00 AM - last edited on ‎12-10-2021 09:40 AM by Community Manager

Hello

@Matt N wrote:

192.168.101.0 must still be able to ping 192.168.102.0, but 192.168.102.0 must not be able to ping 192.168.101.0)..

Try the following:

ip access-list extended ICMP
deny icmp 192.168.102.0 0.0.0.255 any echo
permit ip any any




int x/x
description routed interface for 192.168.101.x
ip access-group ICMP in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

6 Replies 6

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎12-07-2021 08:48 AM

It should be fairly straightforward to prevent ping from 192.168.102.0 to 192.168.101.0. Configure an extended access list and apply the access list inbound on the router/switch interface where 192.168.102.0 is connected. In the access list the first statement should deny icmp echo-request where source is 109.168.102.0 and destination is 192.168.101.0. The second statement in the access list should permit ip traffic where source is 192.168.102.0 and destination is any. 

This would prevent ping request from 192.168.102.0 to 192.168.101.0 and would not impact ping request from 192.168.101.0 to 192.168.102.0 and not impact ping response from 192.168.102.0 to 192.168.101.0.

HTH

Rick

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Richard Burts

‎12-07-2021 09:27 AM

BTW, what @Richard Burts suggests is a belt and suspenders approach (and is fully correct).  Just wanted to note that if you block ping requests in one direction, there should be no ping replies in the other.

Also, you might just block ping replies in one direction.  The latter might be used if you didn't have access to the "other side" to block ping requests.

Go to solution
Martin L
VIP
VIP

‎12-07-2021 08:52 AM

 

have you tried Extended ACL ? Extended acl let you choose direction (source/destination) as well as protocol type (icmp, tcp, udep, etc); Also, placement and direction is important.  Standard acl should be placed near destination while Ext. acl near source.  Use ? with commands to see all options.

this one is tricky so i will attach my solution ( of course this may have 2 solutions or more)

 

Regards, ML
**Please Rate All Helpful Responses **

Forest Park School Network.fix1.zip

Go to solution
paul driver
VIP
VIP

‎12-08-2021 12:00 AM - last edited on ‎12-10-2021 09:40 AM by Community Manager

Hello

@Matt N wrote:

192.168.101.0 must still be able to ping 192.168.102.0, but 192.168.102.0 must not be able to ping 192.168.101.0)..

Try the following:

ip access-list extended ICMP
deny icmp 192.168.102.0 0.0.0.255 any echo
permit ip any any




int x/x
description routed interface for 192.168.101.x
ip access-group ICMP in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Matt N
Level 1
Level 1

‎12-08-2021 07:16 AM

Thank you all so much; these responses have really helped!

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Matt N

‎12-09-2021 07:23 AM

You are welcome. I am glad that our explanations have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card