Cisco 827 not responding to PING requests

Discussion in 'Cisco' started by Dogg, Oct 25, 2003.

  1. Dogg

    Dogg Guest

    Hi Folks,

    Newbie issue... I do have a Cisco827 connected to an ADSL...
    everything is ok with my current configuration but I would like my
    router not to respond to PINGs coming from the WAN... (if possible all
    ICMP requests...)

    How can I do that???
     
    Dogg, Oct 25, 2003
    #1
    1. Advertisements

  2. Dogg

    Neil Guest

    Create an access-list denying icmp.
    It depends whether you want to deny ping responses from your equipment
    aswell.

    eg.
    access-list 199 deny icmp any any
    access-list 199 permit ip any any

    Would deny all icmp, including unreachables. echo replies, echo requests
    etc.

    or if you just want to deny pings:

    access-list 199 deny icmp any any eq echo
    access-list 199 permit ip any any

    then apply it inbound to your wan port.

    Neil
     
    Neil, Oct 25, 2003
    #2
    1. Advertisements

  3. access-list 120 deny icmp any any echo
    access-list 120 permit ip any any
    !
    interface FOO
    ip access-group 120 in
    no ip unreachables

    Not that I can see any reason to do so ...
     
    Jesper Skriver, Oct 25, 2003
    #3
  4. And break path MTU discovery - so a *VERY* bad idea ...
    The router would then generate ICMP admin prohibited, unless one
    also configure

    no ip unreach

    /Jesper
     
    Jesper Skriver, Oct 25, 2003
    #4
  5. Dogg

    Simon Gronow Guest

    Hi,


    I like this, but I have one question


    I have a remote site which I wish to block all pings except for my class c.
    Ie. I want to ping the router for support reasons, but NOT the rest of the
    world.


    Any tips ?


    Thanks
     
    Simon Gronow, Oct 27, 2003
    #5
  6. Using 10 seconds to get into how ACL's work ?

    Use this instead, replace x.x.x.0 with the network that is allowed to
    ping.

    access-list 120 permit icmp x.x.x.0 0.0.0.255 any
    access-list 120 deny icmp any any echo
    access-list 120 permit ip any any

    /Jesper
     
    Jesper Skriver, Oct 27, 2003
    #6
  7. Dogg

    Simon Gronow Guest

    Ta
     
    Simon Gronow, Oct 27, 2003
    #7
  8. Dogg

    Simon Gronow Guest

    So If I wanted to block say all traffic coming in etc say SMTP or web would
    I do the following



    access-list 120 deny tcp any any
    access-list 120 permit tcp any any 25



    Thanks
     
    Simon Gronow, Oct 27, 2003
    #8
  9. No - please take my previous hint seriously, it's really not that
    difficult to read a bit about ACL's.

    They are evaluated one line at a time, and exist at first match,
    with a implicit deny any any at the end.

    so in the above example, you deny all TCP traffic, the next line
    have no effect, as it will never get here (was matched by the
    first line), and then all other traffic will be denied by the
    implicit deny any any.

    /Jesper
     
    Jesper Skriver, Oct 27, 2003
    #9
  10. Dogg

    Dogg Guest

    Jesper,

    I've tried what you suggested but my router is still reponding to
    PINGs that are coming from the Internet...
    Please take a look at my current config where stars have replaced
    "sensitive" info :)

    What could be wrong in it...

    Current configuration:
    !
    version 12.1
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname *************
    !
    enable secret 5 *************
    enable password 7 *************
    !
    !
    !
    !
    !
    ip subnet-zero
    no ip finger
    ip name-server *************
    ip name-server *************
    ip dhcp excluded-address *************
    !
    ip dhcp pool client
    network *************
    default-router *************
    dns-server ************* *************
    !
    !
    !
    !
    interface Ethernet0
    ip address ************* *************
    no ip directed-broadcast
    ip nat inside
    no cdp enable
    !
    interface ATM0
    no ip address
    no ip directed-broadcast
    ip nat outside
    no atm ilmi-keepalive
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    bundle-enable
    hold-queue 224 in
    !
    interface Dialer0
    ip address negotiated
    no ip directed-broadcast
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp chap hostname *************
    ppp chap password 7 *************
    ppp pap sent-username ************* password 7 *************
    ppp pap refuse
    !
    ip nat translation tcp-timeout never
    ip nat translation udp-timeout never
    ip nat translation finrst-timeout never
    ip nat translation syn-timeout never
    ip nat translation dns-timeout never
    ip nat translation icmp-timeout never
    ip nat inside source list 110 interface Dialer0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    no ip http server
    !
    access-list 2 permit ************* *************
    access-list 110 permit tcp any any
    access-list 110 permit udp any any
    access-list 110 permit icmp any any
    access-list 110 permit ip any any
    dialer-list 1 protocol ip list 110
    no cdp run
    !
    line con 0
    transport input none
    stopbits 1
    line vty 0 4
    access-class 2 in
    password 7 *************
    login
    !
    scheduler max-task-time 5000
    end
     
    Dogg, Oct 27, 2003
    #10
  11. You havn't included any of the configuration I suggested ?

    access-list 199 deny icmp any any eq echo
    access-list 199 permit ip any any
    !
    int Dialer0
    ip access-group 199 in
     
    Jesper Skriver, Oct 27, 2003
    #11
  12. Dogg

    Dogg Guest

    Still not working...
    According to GRC.COM my router is still responding to PING requests...
     
    Dogg, Oct 27, 2003
    #12
  13. Dogg

    winnieh Guest

    Try also using

    access-list 199 deny icmp any any eq echo-reply
     
    winnieh, Nov 11, 2003
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.