Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
24713
Views
0
Helpful
3
Replies

How to permit router to respond to ping requests from the LAN, but deny from the WAN

doughorton
Level 1
Level 1

‎07-29-2016 07:51 AM - edited ‎03-07-2019 12:18 AM

I have the following ACL statement in the running config of my 2911 router:

"ip access-list extended NOSPOOF

deny icmp any any"

This, of course, denies all ping responses (and other ICMP). How do I change this to permit ping responses from the LAN side while still denying ping responses from the WAN side?

Labels:
0 Helpful
3 Replies 3

ahmedshoaib
Level 4
Level 4

‎07-29-2016 02:19 PM

Hi;

 

To avoid the DDoS attack you required a separate DDoS appliance, if you don't have a big network or more critical application or budget then you can use Perimeter firewall. If still you have issue then on Router you can do it via ACL.

 

Be remember Router don't have state table, and don't have info the traffic awareness. If you deny any traffic or protocol on specific interface it will block all the traffic in direction where you apply acl.

 

In you need to apply the ACL on WAN interface in direction. It will block all the icmp echo request or replay coming to WAN interface will be block. (Either icmp replay going toward LAN users)

If you want to allow the LAN users can ping outside but nobody can reach your network via ping (consider you are using 192.168.1.0/24 subnet as a LAN user.)

 

ip access-list extended NOSPOOF

permit icmp any 192.168.1.0 0.0.0.255 eq echo-replay

deny icmp any any

permit ip any any

 

interface G0/0 (WAN Interface)

 ip access-group NOSPOOF in

 

Thanks & Best regards;

0 Helpful

doughorton
Level 1
Level 1
In response to ahmedshoaib

‎07-29-2016 02:41 PM

Thank you kindly for your reply. A follow up question:

Will this also permit LAN users to ping the router itself as well as devices outside the LAN? That is assuming router is 192.168.1.1:

  • LAN device can ping 192.168.1.1 and receive reply (confirming the router is alive)
  • LAN device can ping 8.8.8.8 and receive reply (confirming that Google public DNS is alive)
0 Helpful

ahmedshoaib
Level 4
Level 4
In response to doughorton

‎07-29-2016 03:13 PM

Hi;

I assumed the G0/0 interface is your WAN interface (having public IP) and applied ACL which will block all incoming icmp traffic from WAN is block.

With reference to your query:

 

  1. LAN devices can ping 192.168.1.1 due to we don't apply acl on your LAN interface.

 

  1. To ping dns server (8.8.8.8) or any public IP address from LAN user then we need to modify the ACL b/c to access the internet you need to do the nating on router (192.168.1.0/24 nat with X.X.X.X Public IP).

 

permit icmp any host X.X.X.X eq echo-replay

Note: where your X.X.X.X is the public IP address to access internet.

 

Thanks & Best regards.

0 Helpful
Customers Also Viewed These Support Documents