Block incoming ping (CISCO)

08/11/2018 FN Comments 0 Comment

PROBLEM: I would like to block all incoming ping requests.
SOLUTION: Block incoming ICMP traffic using access-list.

[?] Why you should not block ICMP traffic!
https://neilalexander.eu/articles/2017/4/16/understanding-icmp
http://shouldiblockicmp.com/

//create deny rule to drop all ICMP requests
//enable other traffic (bcs of implicit deny by ACL)

Router(config)# access-list 101 deny icmp any any
Router(config)# access-list 101 permit ip any any

1 2	Router(config)# access-list 101 deny icmp any any Router(config)# access-list 101 permit ip any any

//assign the rule to the interface

Router(config)# int FastEthernet 0/1 
Router(config-if)# ip access-group 101 in

1 2	Router(config)# int FastEthernet 0/1 Router(config-if)# ip access-group 101 in

OUTPUT

Router# ping 172.16.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

Router# ping 172.16.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:

UUUUU

Success rate is 0 percent (0/5)

Copy & Paste

conf t
access-list 101 deny icmp any any
access-list 101 permit ip any any
int FastEthernet 0/1 
ip access-group 101 in 
end

conf t

access-list 101 deny icmp any any

access-list 101 permit ip any any

int FastEthernet 0/1

ip access-group 101 in

end

Source: https://community.cisco.com/t5/routing/block-icmp/td-p/2419132