Cisco 827 not responding to PING requests

Hi Folks,

Newbie issue... I do have a Cisco827 connected to an ADSL...
everything is ok with my current configuration but I would like my
router not to respond to PINGs coming from the WAN... (if possible all
ICMP requests...)

How can I do that???

 

Create an access-list denying icmp.
It depends whether you want to deny ping responses from your equipment
aswell.

eg.
access-list 199 deny icmp any any
access-list 199 permit ip any any

Would deny all icmp, including unreachables. echo replies, echo requests
etc.

or if you just want to deny pings:

access-list 199 deny icmp any any eq echo
access-list 199 permit ip any any

then apply it inbound to your wan port.

Neil

 

access-list 120 deny icmp any any echo
access-list 120 permit ip any any
!
interface FOO
ip access-group 120 in
no ip unreachables

Not that I can see any reason to do so ...

 

And break path MTU discovery - so a *VERY* bad idea ...

The router would then generate ICMP admin prohibited, unless one
also configure

no ip unreach

/Jesper

 

Hi,


I like this, but I have one question


I have a remote site which I wish to block all pings except for my class c.
Ie. I want to ping the router for support reasons, but NOT the rest of the
world.


Any tips ?


Thanks

 

Using 10 seconds to get into how ACL's work ?

Use this instead, replace x.x.x.0 with the network that is allowed to
ping.

access-list 120 permit icmp x.x.x.0 0.0.0.255 any
access-list 120 deny icmp any any echo
access-list 120 permit ip any any

/Jesper

 

Ta

 

So If I wanted to block say all traffic coming in etc say SMTP or web would
I do the following



access-list 120 deny tcp any any
access-list 120 permit tcp any any 25



Thanks

 

No - please take my previous hint seriously, it's really not that
difficult to read a bit about ACL's.

They are evaluated one line at a time, and exist at first match,
with a implicit deny any any at the end.

so in the above example, you deny all TCP traffic, the next line
have no effect, as it will never get here (was matched by the
first line), and then all other traffic will be denied by the
implicit deny any any.

/Jesper

 

Jesper,

I've tried what you suggested but my router is still reponding to
PINGs that are coming from the Internet...
Please take a look at my current config where stars have replaced
"sensitive" info

What could be wrong in it...

Current configuration:
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname *************
!
enable secret 5 *************
enable password 7 *************
!
!
!
!
!
ip subnet-zero
no ip finger
ip name-server *************
ip name-server *************
ip dhcp excluded-address *************
!
ip dhcp pool client
network *************
default-router *************
dns-server ************* *************
!
!
!
!
interface Ethernet0
ip address ************* *************
no ip directed-broadcast
ip nat inside
no cdp enable
!
interface ATM0
no ip address
no ip directed-broadcast
ip nat outside
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
hold-queue 224 in
!
interface Dialer0
ip address negotiated
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname *************
ppp chap password 7 *************
ppp pap sent-username ************* password 7 *************
ppp pap refuse
!
ip nat translation tcp-timeout never
ip nat translation udp-timeout never
ip nat translation finrst-timeout never
ip nat translation syn-timeout never
ip nat translation dns-timeout never
ip nat translation icmp-timeout never
ip nat inside source list 110 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
access-list 2 permit ************* *************
access-list 110 permit tcp any any
access-list 110 permit udp any any
access-list 110 permit icmp any any
access-list 110 permit ip any any
dialer-list 1 protocol ip list 110
no cdp run
!
line con 0
transport input none
stopbits 1
line vty 0 4
access-class 2 in
password 7 *************
login
!
scheduler max-task-time 5000
end

 

You havn't included any of the configuration I suggested ?

access-list 199 deny icmp any any eq echo
access-list 199 permit ip any any
!
int Dialer0
ip access-group 199 in

 

Still not working...
According to GRC.COM my router is still responding to PING requests...

 

Try also using

access-list 199 deny icmp any any eq echo-reply