Thursday, December 09, 2004

Q: How do I filter PINGs or ICMP using an access-list?

A:
To filter PINGs, you can create an extended access list, and then apply it to an interface. I usually apply these lists to each interface in the inbound direction. To filter only PINGs, use the following:
deny icmp any any echo
deny icmp any any echo-reply
permit ip any any
Most people like to filter out all ICMP traffic. However, there are three ICMP messages that should not be filtered: destination unreachable, source quench, and time exceed. The extended IP access list to filter everything but these looks like this:
permit icmp any any source-quench
permit icmp any any host-unreachable
permit icmp any any time-exceeded
deny icmp any any
permit ip any any