How to block ICMP port 512 via ACL?

Is it possible to block Protocal ICMP port 512 with an ACL? If not, how can it be blocked?

Partial ACL listed below, it is applied at the public INT (66.x.66.x) Inbound

R3Gateway#show ip access-lists complete_bogon_v2_5b
Extended IP access list complete_bogon_v2_5b
deny ip any (240 matches)
deny ip any
permit tcp any any established (142025 matches)
permit udp any eq ntp any (6477 matches)
permit udp any eq domain host 66.x.66.x (2206 matches)
permit udp any host 66.x.66.x eq domain (154 matches)
permit tcp any host 66.x.66.x eq domain (98 matches)
permit tcp any host 66.x.66.x eq www (40 matches)
deny ip any any log-input (4002 matches)

When I do a Show IP NAT translations I get the following output

Pro Inside global      Inside local       Outside local      Outside global
icmp 66.x.66.x:512   172.x.13.x:512
icmp 66.x.66.x:512   172.x.13.x:512

I would like to block this, but I do not see, or know a way for a specific ICMP port 512.

Is it possible to know if this traffic was initiated from indoe going out, or from outside coming in?


Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

lrmooreConnect With a Mentor Commented:
The traffic has to be initiated from the inside.
You can block that this way:
   access-list 109 deny icmp any any
   access-list 109 permit ip any any
   interface fast 0/0
     ip access-group 109 in

orbixAuthor Commented:
I have made those changes, thanks. With regard to appling the ACL IN or OUT. How do you determin what way to apply the ACL?

Is "IN" considered any traffic entering the int from either side, ISP --> Int FA 0/0 <-- Int E 3/2
Apply this "in" on the interface closest to the users.
If users are conected to E 3/2 and FA 0/0 is connection to the ISP, then apply it "in" on the E 3/2 interface.
All Courses

From novice to tech pro — start learning today.