Solved

How exactly do I disable ping on a Cisco 1841?

Posted on 2007-11-29
2
1,707 Views
Last Modified: 2013-11-29
I am a router newbie who has a Cisco 1841 providing a point-to-point T1 connection to my ISP.  The router in question is failing a security audit because it has ICMP allowed.  It looks to me like ICMP is being denied, but when I try to ping the router I get a response saying "Reply from x.x.x.x: TTL expired in transit."

The portion of my ACL that pertains to ICMP looks like this:

access-list 105 permit icmp any any packet-too-big
access-list 105 permit icmp any any source-quench
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any echo-reply
access-list 105 deny   icmp any any

Does the 'permit icmp any any echo-reply' override the 'deny icmp any any'?  I haven't really delved into what the other icmp permits are doing, either.  

Thanks,
Scott
0
Comment
Question by:corptech
2 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 125 total points
ID: 20375611
Does the 'permit icmp any any echo-reply' override the 'deny icmp any any'?

No.

The TTL exceeded message is being allowed by the "permit icmp any any time-exceeded" line.

access-list 105 permit icmp any any packet-too-big
! allows the message that it's received a packet that it can't forward because it's too big
access-list 105 permit icmp any any source-quench
! allows the message that a host that the router can't keep up with the it's receiving
access-list 105 permit icmp any any time-exceeded
!see above
access-list 105 permit icmp any any echo-reply
! allows replies to pings
access-list 105 deny   icmp any any
! stops any icmp messages

Here a page that has details on ICMP messages.

http://www.softpanorama.org/Net/Internet_layer/icmp.shtml
0
 
LVL 2

Author Closing Comment

by:corptech
ID: 31411731
perfect donjohnston.  thanks a lot.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now