What does a Cisco IOS access-list look like for filtering ICMP traffic, and what does each line do?
Cisco IOS access-lists are the canonical example of packet-filter syntax — sequential lines of permit or deny, evaluated top-down. The example filters ICMP, allowing only specific message types.
The example ACL:
Router#sh run | i access-list 150
access-list 150 remark ICMP ACL
access-list 150 remark Block fragmented ICMP packets
access-list 150 deny icmp any any fragments
access-list 150 remark Permit troubleshooting ICMP types
access-list 150 permit icmp any any echo
access-list 150 permit icmp any any echo-reply
access-list 150 permit icmp any any time-exceeded
access-list 150 permit icmp any any packet-too-big
access-list 150 remark Deny any other ICMP messages
access-list 150 deny icmp any any
access-list 150 remark Allow Other Traffic
access-list 150 permit ip any any
Reading the rules (top-down):
| Line | Effect |
|---|---|
deny icmp any any fragments |
Drop fragmented ICMP (used in attacks like Ping of Death) |
permit icmp any any echo |
Allow ping requests |
permit icmp any any echo-reply |
Allow ping replies |
permit icmp any any time-exceeded |
Allow traceroute to work |
permit icmp any any packet-too-big |
Allow PMTU discovery to work |
deny icmp any any |
Block all other ICMP types (e.g., redirect, source quench) |
permit ip any any |
Allow all non-ICMP IP traffic |
Why this pattern is the canonical example:
It demonstrates three universal firewall principles:
- Deny dangerous specific cases first (fragments)
- Permit specific allowed cases (the 4 ICMP types)
- Catch-all deny for everything in this category
- Pass-through for traffic not in this category
Why ICMP filtering needs care:
Total ICMP blocking breaks PMTU discovery (packets get fragmented but no packet-too-big reaches the sender → silent connection failure). The specific ICMP permits are the minimum viable ICMP for a working internet connection.
The Cisco syntax to know:
access-list <number> {permit|deny} <protocol> <src> <dst> [match-criteria]
ACL numbers determine type:
- 1–99: standard (source IP only)
- 100–199: extended (source + dest + protocol + ports)
- 200+: named ACLs
Tip: This is the exact ACL pattern you'll see in CCNA Security and is asked on most network certification exams. The "block fragmented ICMP" rule especially — it's a small detail but cited often.
Go deeper:
ICMP (Wikipedia) — maps each permitted type to its role, explaining why blocking them breaks ping/traceroute/PMTUD.
IP fragmentation attack (Wikipedia) — why the first ACL line drops fragmented ICMP (Ping of Death / teardrop).