cisco logo

How to guide to stop and deny icmp ping replies on the outside dialer interface on a Cisco router using access lists.

Deny ICMP Ping on Outside Dialer Interface for a Cisco Router

I am a firm believer of “if you don’t need it, turn it off”, icmp ping is no exception. Doing such reduces the surface area of attack, as most port scanners initially ping the target to see if there is a replying host at the other end. I configured my Cisco router to deny icmp on the “Dialer0” interface, you might need to tweak this to suit your access lists and WAN interface.

Leaving this feature on does give you extra troubleshooting abilities should you need it, don’t disable it if you do use the ping against your router to see if its up.

  • Shell on to the router or connect using a console cable.

Run all commands without the “#”

  1. #en
  2. #configure terminal
  3. #access-list 101 deny icmp any any echo
  4. #access-list 101 permit ip any any
  5. #interface dialer0
  6. #ip access-group 101 in
  7. #exit
  8. #exit

Now test to see whether an icmp packet is turned when pinging from a different internet connection.

Ping

Should you be happy with the configuration, simply run the following commands:

  1. #en
  2. #configure terminal
  3. #copy running-config startup-config
  4. #exit

If you want to revert to previous config you can either reload the router to clean the changes or reverse the changes manually:

To revert to previous configuration past this point.

To reverse the changes, simply remove “ip access-group 101 in” from the dialer interface by running the following commands:

  1. #en
  2. #configure terminal
  3. #interface dialer0
  4. #no ip access-group 101 in
  5. #exit
  6. #exit

To clean up the unused access lists:

  1. #en
  2. #configure terminal
  3. #no access-list 101 deny icmp any any echo
  4. #access-list 101 permit ip any any
  5. #exit

If you have any questions or suggestions, please feel free to comment in the comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.