Yep, Brian is right. TCP and UDP echo are not the same as an ICMP echo
request and echo reply. In cisco terminology they are called small
servers and I really don't know what they're used for, except perhaps
some troubleshooting. They seem to be pretty useless and it's a good
idea to turn them off.
no service tcp-small-servers
no service udp-small-servers
Anyway, as your list is currently constructed, this traffic is what
you're blocking, not ICMP.
HTH,
John
>>> "Brian Whalen" 8/29/01 4:45:42 PM >>>
think u wanna replace tcp with icmp to block pings..
Brian "Sonic" Whalen
Success = Preparation + Opportunity
On Wed, 29 Aug 2001, Mr. Magoo wrote:
> Hi List!
>
> I would like to know how can I block ICMP echos (Ping & Trace) for
an
> specific interface, allowing everything else. I tried the ACL below
but it
> didn't work. What am I doing wrong??
>
> Router-R2#sh run
>
> access-list 101 deny tcp any any eq echo
> access-list 101 deny udp any any eq echo
> access-list 101 permit ip any any
>
> interface Ethernet0
> ip address 192.168.0.101 255.255.255.0
> ip access-group 101 in
> ip access-group 101 out
>
> Router-R2#r1
> Trying R1 (192.168.0.100)... Open
> Router-R1#ping r2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echoes to 192.168.0.101, timeout is 2
seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
> Router-R1#
>
> Thanks in advance!!
>
> Magoo
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17768&t=17761
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
