Deny ICMP or Ping Using Extended Access List

Deny ICMP or Ping Using Extended Access List.

In this ACL we are going to block a network

The Extended ACl is always implemented always on Source where as Standard ACl is always implemented on Destination.

In this ACl we are going to stop ping from PC to a network but PC can do ping other network PC.

Ping Block Acl or Deny ICMP using Extended Numbered Access-Control-List

In Above diagram we stop pinging from 192.168.1.2 to 20.0.0.2, whereas it can ping 192.168.3.2 and 192.168.3.3.

The configuration are as follows:

1. Router0#sh ip int br

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.1 YES manual up up

FastEthernet1/0 10.0.0.1 YES manual up up

FastEthernet1/1 unassigned YES unset administratively down down

Router0#sh ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - Periodic downloaded static route

Gateway of last resort is not set

C 10.0.0.0/8 is directly connected, FastEthernet1/0

20.0.0.0/24 is subnetted, 1 subnets

D 20.0.0.0 [90/30720] via 10.0.0.2, 01:18:29, FastEthernet1/0

C 192.168.1.0/24 is directly connected, FastEthernet0/0

D 192.168.2.0/24 [90/30720] via 10.0.0.2, 01:18:29, FastEthernet1/0

D 192.168.3.0/24 [90/33280] via 10.0.0.2, 01:17:56, FastEthernet1/0

Router1#sh ip int br

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.2.1 YES manual up up

FastEthernet1/0 10.0.0.2 YES manual up up

FastEthernet1/1 20.0.0.1 YES manual up up

Router1#sh ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - Periodic downloaded static route

Gateway of last resort is not set

C 10.0.0.0/8 is directly connected, FastEthernet1/0

C 20.0.0.0/8 is directly connected, FastEthernet1/1

D 192.168.1.0/24 [90/30720] via 10.0.0.1, 01:19:23, FastEthernet1/0

C 192.168.2.0/24 is directly connected, FastEthernet0/0

D 192.168.3.0/24 [90/30720] via 20.0.0.2, 01:18:49, FastEthernet1/1

Router2#sh ip int br

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.3.1 YES manual up up

FastEthernet1/0 20.0.0.2 YES manual up up

FastEthernet1/1 unassigned YES unset administratively down down

Router2#sh ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - Periodic downloaded static route

Gateway of last resort is not set

D 10.0.0.0/8 [90/30720] via 20.0.0.1, 01:40:27, FastEthernet1/0

C 20.0.0.0/8 is directly connected, FastEthernet1/0

D 192.168.1.0/24 [90/33280] via 20.0.0.1, 01:40:27, FastEthernet1/0

D 192.168.2.0/24 [90/30720] via 20.0.0.1, 01:40:27, FastEthernet1/0

C 192.168.3.0/24 is directly connected, FastEthernet0/0

To Configure an ACL on a Cisco IOS device, we use the following steps:

Define the ACL using a name or number.Named ACL are easier to edit.The command to configure a named ACL is ip access-list [Extended|Standard].

Configure the ACL using the basic Syntax:[permit|deny]<protocol><source network><source wildcard mask><destination network ><destination wildcard mask><options>

To Apply ACL using the command ip access-group<ACL name>[in|out].

ACL is always is applied on Source that’s why we are implementing it on Router 0.

access-list 101 deny icmp 192.168.1.0 0.0.0.255 host 20.0.0.2

access-list 101 permit ip any any

Verifying ACLs

To View ACL using Show ip access-lists command:

Router0#sh ip access-lists

Extended IP access list 101

10 deny icmp 192.168.1.0 0.0.0.255 host 20.0.0.2 (16 match(es))

20 permit ip any any (12 match(es))

Testing ACls

Test 1:ping from 192.168.1.2 to 20.0.0.2

C:\>ping 20.0.0.2

Pinging 20.0.0.2 with 32 bytes of data:

Reply from 192.168.1.1: Destination host unreachable.

It fails from ping 192.168.1.2 to 20.0.0.2

Test 2: ping from 192.168.1.2 to 192.168.3.1

C:\>ping 192.168.3.1

Pinging 192.168.3.1 with 32 bytes of data:

Reply from 192.168.3.1: bytes=32 time=14ms TTL=253

Reply from 192.168.3.1: bytes=32 time<1ms TTL=253

Ping statistics for 192.168.3.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 14ms, Average = 3ms

ACL is successful.

Milan Tomic

Hi. I’m Designer of Blog Magic. I’m CEO/Founder of ThemeXpose. I’m Creative Art Director, Web Designer, UI/UX Designer, Interaction Designer, Industrial Designer, Web Developer, Business Enthusiast, StartUp Enthusiast, Speaker, Writer and Photographer. Inspired to make things looks better.