How to apply access list with following condition

I want to apply access list on router so that HostA cannot ping HostB, but HostB can ping HostA. Is it possible? Is their any concept of inbound and outbound applies here? Thanks in advance.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

theodoxa

I've never tried it, but you might/should be able to specify "echo-request" and "echo-reply" in the appropriate directions.

[EDIT] I assume A and B are of different subnets/VLANs and that you are doing RoAS with the router to route between the subnets. If they're on the same subnet/VLAN, then you'd need to look into VACLs, which I'm not sure would be fully supported by the 2950.

atorven

If they are both in different vlans then you need to deny icmp echo traffic coming in from HostA

OfWolfAndMan

Let's keep it simple. This will require an extended access list.

#access-list 101 deny icmp [source ip] [source mask] [destination ip] [destination mask] echo
#access-list 101 deny icmp [source ip] [source mask] [destination ip] [destination mask] echo-reply
#access-list 101 permit ip any any

Then apply it to the appropriate port or SVI, depending on how you want to go about it.

atorven

If you deny echo reply then the HostA replies won't be received by HostB therefore a ping from host B would fail.

theodoxa

atorven wrote: »

If you deny echo reply then the HostA replies won't be received by HostB therefore a ping from host B would fail.

You deny echo-reply only for packets sourced from A and destined for B using an Extended ACL

deny icmp host <Host A IP Address> host <Host B IP Address> echo-reply
permit ip any any

These two lines would prevent PING responses from coming back to A from B, but not vice-versa. Ideally, though you would want to block the PINGs before they ever got to Host B [to avoid wasting its resources].