Stopping folk pinging me but allowing pinging out

[blobmeister]

I have a 2600 router and am trying to config it so that e0/0 (My Internet interface) cannot be pinged but that I can still ping out from inside the network to the internet. I have tried the following with the effect of stopping people being able to ping me(I think) but also stopping me from being able to ping out

xtended IP access list 101
deny icmp any any (256 matches)
permit tcp any any (14364 matches)
permit ip any any (767 matches)

xtended IP access list 102
deny icmp any any echo (56 matches)
permit tcp any any (11570 matches)
permit udp any any (381 matches)
deny icmp any any echo-reply

xtended IP access list 103
deny icmp any any echo-reply (7 matches)
permit tcp any any (2372 matches)
permit udp any any (77 matches)


Any ideas what I am doing wrong?

Thanks Folks

 

[svermill]

Are you applying the list in the correct direction? List 103 looks good at first glance if it were configured as an out list on the e0 interface. You could also be more specific and name your e0 ip address instead of 'any.' I would probably also add a 'permit ip any any' at the end unless you truly just want TCP and UDP (the broader IP statement would actually cover the TCP and UDP cases, so they could just be removed). It's also possible that you need a 'permit ICMP any any' after the first deny statement.

 

[gaveeve]

Pinging or ICMP goes out to what you want to ping and then comes back. So if you filter an interface to prevent ICMP from going in or out then the ping will be unsuccessful. You could use reflexive access lists. This will 'keep track' of whether a ping originates from inside or outside and then you filter based on that. But its complicated. Here is the link:

http://www.cisco.com/univercd/cc/td...2/122cgcr/fsecur_c/ftrafwl/scfreflx.htm#67880