Blocking ICMP on a Cisco router

timberdoodle · Dec 11, 2011

I am just starting out with Cisco equipment. I have a router that I set up and am trying to figure out how to block ICMP on the WAN interface so that I am not visible to the outside world.

I try setting up an access-list that is deny icmp any any

When I apply it to my WAN interface inbound it immediately stops all incoming and outgoing IP activity. I can't ping the router from internal, I can't access any web pages. Can't ping the router from external so that at least works

I tried running the auto secure wizard which shuts off a whole bunch of stuff but still did not seem to shut it off. Any thoughts on where I could be going wrong?

mattjw916 · Dec 11, 2011

Code:

conf t 
ip access-list ext OUTSIDE
deny icmp any any
permit ip any any
exit
int fa0/0
ip access-group OUTSIDE in
end 
copy r s

timberdoodle · Dec 11, 2011

Excellent. Thanks. I didn't have the permit ip any any.

SpaceHonkey · Dec 11, 2011

ACLs have an implicit deny all at the end if not explicitly allowed.

Jay_2 · Dec 11, 2011

the really easy way is just

en

conf t

icmp deny any <interface name>

mattjw916 · Dec 12, 2011

Jay_oasis said:
the really easy way is just

en

conf t

icmp deny any <interface name>

It was a router not a firewall...

just2cool · Dec 12, 2011

timberdoodle said:
I am just starting out with Cisco equipment. I have a router that I set up and am trying to figure out how to block ICMP on the WAN interface so that I am not visible to the outside world.

The example given makes you very vulnerable to the outside word still.

I recommend using tcp any any established instead of permit ip any any, and allow DNS, etc etc.

You should also lock your VTY lines so that they can only be accessed from your LAN IPs.

Jay_2 · Dec 12, 2011

mattjw916 said:
It was a router not a firewall...

Good point

Fint · Dec 12, 2011

please note, blocking any and all ICMP makes you look like a fool, and will also prevent a lot of important things from working correctly.

ICMP Unreachables (especially ICMP Type 3 Code 4) are all extremely useful, if not required, for a correctly operating network node.

timberdoodle · Dec 12, 2011

Is best practice to create a separate access list for each protocol?

For instance, one for blocking telnet traffic, one for outbound traffic, etc.

Part of the Cisco hardening guide talks about disabling ip unreachable and ip redirects. Can you elaborate on what I am breaking with denying icmp? Isn't this how a typical home router functions to prevent intrusions.

orienz · Dec 12, 2011

mattjw916 said:

Gotta change these two around and your golden;

deny icmp any any
permit ip any any

deny over-writes the permit, any ACL statement ends with deny.

orienz · Dec 12, 2011

And for the "vty lockdown" just create another ACL and add it to the vty access-class aclnum in

Fint · Dec 12, 2011

timberdoodle said:
Part of the Cisco hardening guide talks about disabling ip unreachable and ip redirects. Can you elaborate on what I am breaking with denying icmp? Isn't this how a typical home router functions to prevent intrusions.

ICMP Frag Needed (Type 3 Code 4) is what a remote host will send to you if you are sending packets larger than they can accept; this is how PMTU discovery works. If you block all ICMP, you'll block these, and you'll be unable to communicate with anybody who uses a smaller MTU than you do.

orienz · Dec 12, 2011

I think we means ECHO replies

berky · Dec 12, 2011

Fint said:
ICMP Frag Needed (Type 3 Code 4) is what a remote host will send to you if you are sending packets larger than they can accept; this is how PMTU discovery works. If you block all ICMP, you'll block these, and you'll be unable to communicate with anybody who uses a smaller MTU than you do.

close but not quite. it's for when the network in between the 2 devices has a smaller MTU than both ends. Unless you're talking UDP, the TCP MSS will handle a smaller MTU on either end of the conversation.

Shadowspawn · Dec 13, 2011

orienz said:
Gotta change these two around and your golden;

deny icmp any any
permit ip any any

deny over-writes the permit, any ACL statement ends with deny.

Wait, what? You are saying to put the permit ip any any statement first?

No. That will allow any and all IP traffic through. The order given by matt is correct.

Fint · Dec 14, 2011

berky said:
close but not quite. it's for when the network in between the 2 devices has a smaller MTU than both ends. Unless you're talking UDP, the TCP MSS will handle a smaller MTU on either end of the conversation.

How does TCP MSS work? ICMP Frag Needed.

cymon · Dec 14, 2011

Shadowspawn said:
Wait, what? You are saying to put the permit ip any any statement first?

No. That will allow any and all IP traffic through. The order given by matt is correct.

Every ACL ends with an implicit deny any any. I think the poster was confusing this - since the most specific ACL wins, permit ACLs must be entered explicitly to permit traffic. As soon as an access-list is applied to an interface via the access-group command, there is the implicit deny any any to consider.

mattjw916 · Dec 14, 2011

I think the poster was confusing this - since the most specific ACL wins

Not to beat this to death but ACLs are processed top-down. The specificity of the ACE doesn't matter if a rule ahead of it in the sequence is matching the traffic.

For example:

permit tcp any any
permit tcp any any eq telnet
deny ip any any

The second line would never match anything since line 1 is catching all tcp already.

Hope that helps clarify.

diizzy · Dec 14, 2011

In short, don't block ICMP just rate limit it if needed.
//Danne

corge · Dec 15, 2011

orienz said:
Gotta change these two around and your golden;

deny icmp any any
permit ip any any

deny over-writes the permit, any ACL statement ends with deny.

Incorrect. It's top down, so if you permit any over a deny any...the packet is permitted. Once it reaches a rule that is acceptable, it's done...it doesn't look further down the list.

So, deny icmp....an icmp packet comes in...instantly dropped because it met it's rule. Permit any after that allows everything through...even would do ICMP if it weren't explicitly denied in the above rule.

Then after that is the deny any any. You still get traffic flowing because there is a permit above it.

berky · Dec 18, 2011

Fint said:
How does TCP MSS work? ICMP Frag Needed.

ICMP frag needed has nothing to do with MSS.

http://en.wikipedia.org/wiki/Maximum_segment_size

for IPv4, MSS = MTU - 40 (IP headers)

it's a parameter that each end device uses to set their corresponding outbound and inbound buffer sizes per connection. so, if device A has an interface MTU of 1500 but device B has an interface MTU of 1300, neither side will send a packet that is larger than 1300. Note that it may appear that this value is "negotiated", but it is actually not. Each side determines their own outbound MSS, which due to the large size of buffers these days, is pretty much always the same on both sides of the conversation, even though it doesn't have to be.

anyway, MSS is TCP only, and some routers/firewalls support adjusting the value within the network to avoid having to use ICMP frag needed, but if you're doing any kind of UDP, ESP, etc, it won't help and you have to allow ICMP frag needed.

Note that in IPv6, ICMPv6 type 2 (packet too big) [ipv4 is type 3 code 4], is pretty much required for proper network communication. Fragmentation is basically not allowed and denying this traffic could have severe adverse effects on customer traffic.

Blocking ICMP on a Cisco router

Gawd

[H]ard|Gawd

Gawd

Gawd

2[H]4U

[H]ard|Gawd

Gawd

2[H]4U

[H]ard|Gawd

Gawd

Weaksauce

Weaksauce

[H]ard|Gawd

Weaksauce

2[H]4U

[H]ard|Gawd

[H]ard|Gawd

Limp Gawd

[H]ard|Gawd

2[H]4U

Limp Gawd

2[H]4U