ā01-03-2010 12:45 AM - edited ā03-06-2019 09:08 AM
Hi,
I apply following ACL on router Wan interface
2650(config)#int fa0/0
2650(config-if)#ip access
2650(config-if)#ip access-group 102 in
2650(config)#access-list 102 deny icmp any any echo-reply.
after applying this i lost telnet access to router and also unable to ping it.
can some one explain me why this happened.
i was trying to block ping request to router but in mean time i want to have telnet access to router
thanks
mahesh
Solved! Go to Solution.
ā01-04-2010 05:28 AM
Are you trying to block pings to any device into your network or are you trying to block the replies from devices?
Having an ACL of
int fa0/0
ip access-group 102 in
access-list 102 deny icmp any any echo-reply
access-list 102 permit ip any any
Will set it up so if you try pinging anything from inside your network to the outside, replies back to you will be blocked from the ACL. However if someone from the outside world tries to ping you, they will do so with success.
If you want to block pings from the outside world into you then you will want to use the ACL:
int fa0/0
ip access-group 102 in
access-list 102 deny icmp any any echo
access-list 102 permit ip any any
This will still allow you to ping the outside world as the replies will not be blocked from returning.
ā01-03-2010 02:20 AM
any access-list ends with an implicit : deny any any , even if you did not write it.
you wrote :access-list 102 deny icmp any any echo-reply.
this is equal to:
access-list 102 deny icmp any any echo-reply
access-list 102 deny ip any any
so you denied every thing
your acl should be like this:
access-list 102 deny icmp any any echo-reply.
access-list 102 permit ip any any
so you need to add the second line : permit ip any any
ā01-03-2010 02:24 AM
Hi
Thanks for reply
So if i add access-list 102 permit ip any any then i will be able to access the router by telnet?
correct me if i am wrong that acl will block only ping request to my network and allow telnet to my router?
thanks
mahesh
ā01-03-2010 02:50 AM
Yes, but it will allow anything else than icmp. If you're enforcing a strict management policy (which you should, management is critical) than your ACL should look something like this.
ip access-list extended MGMT
permit tcp any any eq 23
line vty 0 4
access-group MGMT in
That is for the VTY line.
If you're slamming it on the interface (and you're not using cbac etc) you'll have to have the permit any any sadly.
ā01-03-2010 05:05 AM
Hi Kent,
thanks for the reply.
so in order to have telnet access to router and block the incoming ping to router i can do the following on wan interface
int fa0/0
ip access-group 102 in
access-list 102 deny icmp any any echo-reply
access-list 102 permit ip any any
thanks
mahesh
ā01-04-2010 03:52 PM
access-list 102 deny icmp any any echo-reply -- this line will deny the router from sending replay but it will not deny the incoming echo
access-list 102 permit ip any any
use this to block incoming echo
access-list 102 deny icmp any any echo
access-list 102 permit ip any any
good luck
if helpful Rate
ā01-03-2010 04:10 AM
Hi,
Yes it will permit telnet and block icmp !!
Regards
Ganesh.H
ā01-04-2010 05:28 AM
Are you trying to block pings to any device into your network or are you trying to block the replies from devices?
Having an ACL of
int fa0/0
ip access-group 102 in
access-list 102 deny icmp any any echo-reply
access-list 102 permit ip any any
Will set it up so if you try pinging anything from inside your network to the outside, replies back to you will be blocked from the ACL. However if someone from the outside world tries to ping you, they will do so with success.
If you want to block pings from the outside world into you then you will want to use the ACL:
int fa0/0
ip access-group 102 in
access-list 102 deny icmp any any echo
access-list 102 permit ip any any
This will still allow you to ping the outside world as the replies will not be blocked from returning.
ā01-04-2010 10:34 PM
One more comment, these ACL's aply to ALL ICMP echo-replies, not just from the router.
So, if you apply:
int fa0/0
ip access-group 102 in
access-list 102 deny icmp any any echo-reply
access-list 102 permit ip any any
to the outside (WAN) interface, and you try to ping anything on the outside world, it will not reply.
If you apply:
int fa0/0
ip access-group 102 out
access-list 102 deny icmp any any echo-reply
access-list 102 permit ip any any
It will block you from pinging the router and any other devices on the inside network, because the reply will be blocked on the out bound interface.
For security like this, (i.e. protecting the router or network from DDOS attacks), you should apply the ACL in bound, meaning block the echo-request, not the reply (like the last person said):
int fa0/0
ip access-group 102 in
access-list 102 deny icmp any any echo
access-list 102 permit ip any any
ā01-05-2010 02:55 AM
Hi Danry,
Thanks for good explaination
mahesh
ā01-05-2010 02:51 AM
Hi Eric
Thanks for great reply .now ping to my inside network is blocked
mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide