Block incoming ping (CISCO)
PROBLEM: I would like to block all incoming ping requests.
SOLUTION: Block incoming ICMP traffic using access-list.
[?] Why you should not block ICMP traffic!
https://neilalexander.eu/articles/2017/4/16/understanding-icmp
http://shouldiblockicmp.com/
//create deny rule to drop all ICMP requests
//enable other traffic (bcs of implicit deny by ACL)
1 2 |
Router(config)# access-list 101 deny icmp any any Router(config)# access-list 101 permit ip any any |
//assign the rule to the interface
1 2 |
Router(config)# int FastEthernet 0/1 Router(config-if)# ip access-group 101 in |
OUTPUT
1 2 3 4 5 6 |
Router# ping 172.16.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds: UUUUU Success rate is 0 percent (0/5) |
Copy & Paste
1 2 3 4 5 6 |
conf t access-list 101 deny icmp any any access-list 101 permit ip any any int FastEthernet 0/1 ip access-group 101 in end |
Source: https://community.cisco.com/t5/routing/block-icmp/td-p/2419132