ping from outside

Application security
Digital certificates
Disaster Recovery
Identity & Access Management
Incident response
Instant Messaging
Intrusion management
Microsoft Exchange
Network Interface Cards
Network Management Systems
Network testing
Networking Equipment
Risk management
Secure Coding
Security Program Management
Security tokens
Single sign-on
vulnerability management
hi, could you please tell me which command in cisco routers prevent them from being ping from outside networks. and also how can i prevent terminals inside a network to ping outside ips(group policies etc??). thanks

Answer Wiki

Thanks. We'll let you know when a new response is added.

Really it is not a command what you need. You need to create appropriate access lists. All access lists have an implicit deny at the end, which implies that anything not explicitly allowed is forbidden. For ping you have to deny icmp protocol packets of type echo-request (8) that enter through your interfaces. This will forbid any ping from outside to inside and the other way around.

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Bolton
    access-list 101 deny icmp nay any echo. On both outside and inside interfaces, apply the following: ip access-list 101 in That will stop echo requests outside from entering the local lan and stop local lan from pinging out. You can make a seperate access list for each interface and define a range if there are only certain terminals you want blocked. You may want to allow your station to ping to test line status. Traceroute uses pings and is a simple way to confirm whether the ISP is having issues.
    0 pointsBadges:
  • Astronomer
    The second response gives you most of what you need. Remember to spell any correctly. With the implicit deny any any at the end of the access list, if you want to allow all other traffic you need to add something like this "access-list 101 permit any any" after denying the echo. While you are building this access list you may want to include other things that should be denied. Another thing to think about if you are using this router as your primary firewall, we have just defined an allow by default access list. Secure firewalls almost always use deny by default rules. This way you know what you are allowing. I know this goes well beyond the question but I have seen too many inadequately protected networks. rt
    15 pointsBadges:
  • Ciscocat6k
    Also what router are you using? New IOS feature sets have a basic FW built in and you can lock it down fairly easily with the available web gui. Not the best in the world for FW but it does a good treat and works wonders better than an ACL - if you are not that familiar with ACL's. If you are using a 1700, 2600, 3600, 1800, 2800, 3800 series router you can get this IOS (with sufficient memory and flash) and use the features. It also has a quick simple VPN and more advanced VPN wizard in the gui as well. Lots of nice new features that can be a large help to persons not fully versed in IOS CLI commands. Hope this helps Cisco_cat_6k - CCDP
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: