ping from outside

0 pts.
Tags:
Application security
Biometrics
Compliance
CRM
Database
DataCenter
Digital certificates
Disaster Recovery
Encryption
Ethernet
Hardware
Identity & Access Management
Incident response
Instant Messaging
Intrusion management
IPv4
Microsoft Exchange
Network Interface Cards
Network Management Systems
Network testing
Networking
Networking Equipment
Policies
provisioning
QoS
Risk management
Routers
Secure Coding
Security
Security Program Management
Security tokens
Servers
Single sign-on
TCP
Tech support
Vulnerability Assessment & Audit
hi, could you please tell me which command in cisco routers prevent them from being ping from outside networks. and also how can i prevent terminals inside a network to ping outside ips(group policies etc??). thanks
ASKED: May 13, 2005  12:51 AM
UPDATED: May 17, 2005  12:06 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Really it is not a command what you need. You need to create appropriate access lists. All access lists have an implicit deny at the end, which implies that anything not explicitly allowed is forbidden. For ping you have to deny icmp protocol packets of type echo-request (8) that enter through your interfaces. This will forbid any ping from outside to inside and the other way around.

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Bolton
    access-list 101 deny icmp nay any echo. On both outside and inside interfaces, apply the following: ip access-list 101 in That will stop echo requests outside from entering the local lan and stop local lan from pinging out. You can make a seperate access list for each interface and define a range if there are only certain terminals you want blocked. You may want to allow your station to ping to test line status. Traceroute uses pings and is a simple way to confirm whether the ISP is having issues.
    0 pointsBadges:
    report
  • Astronomer
    The second response gives you most of what you need. Remember to spell any correctly. With the implicit deny any any at the end of the access list, if you want to allow all other traffic you need to add something like this "access-list 101 permit any any" after denying the echo. While you are building this access list you may want to include other things that should be denied. Another thing to think about if you are using this router as your primary firewall, we have just defined an allow by default access list. Secure firewalls almost always use deny by default rules. This way you know what you are allowing. I know this goes well beyond the question but I have seen too many inadequately protected networks. rt
    15 pointsBadges:
    report
  • Ciscocat6k
    Also what router are you using? New IOS feature sets have a basic FW built in and you can lock it down fairly easily with the available web gui. Not the best in the world for FW but it does a good treat and works wonders better than an ACL - if you are not that familiar with ACL's. If you are using a 1700, 2600, 3600, 1800, 2800, 3800 series router you can get this IOS (with sufficient memory and flash) and use the features. It also has a quick simple VPN and more advanced VPN wizard in the gui as well. Lots of nice new features that can be a large help to persons not fully versed in IOS CLI commands. Hope this helps Cisco_cat_6k - CCDP
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following