Nobody Can Ping My Computer
Updated: January 20, 2009
Applies To: Windows Server 2008, Windows Vista
A common step in troubleshooting connectivity situations is to use the Ping tool to ping the IP address of the computer to which you are trying to connect. When you ping, you send an ICMP Echo message (also known as an ICMP Echo Request message) and get an ICMP Echo Reply message in response. By default, Windows Firewall does not allow incoming ICMP Echo messages, and therefore the computer cannot send an ICMP Echo Reply in response.
Enabling incoming ICMP Echo messages will allow others to ping your computer. However, it also leaves your computer vulnerable to the types of attacks that use ICMP Echo messages. Therefore, we recommended that you enable the Allow incoming echo request setting temporarily, and then disable it when it is no longer needed.
To enable ICMP Echo messages, create new inbound custom rules to allow ICMPv4 and ICMPv6 Echo Request packets.
To enable ICMP Echo Request for ICMPv4 and ICMPv6
- In the Windows Firewall with Advanced Security snap-in, click Inbound Rules in the tree, and click New Rule in the Actions Pane.
- Click Custom and click Next.
- Click All programs and click Next.
- For Protocol type, select ICMPv4.
- Click Customize for Internet Control Message Protocol (ICMP) settings.
- Click Echo Request, click OK, and then click Next.
- Under Which local IP address does this rule match? and for Which remote IP address does this rule match click either Any IP address or These IP Addresses. If you click These IP addresses, specify the IP addresses and click Add, then click Next.
- Click Allow the connection, and then click Next.
- Under When does this rule apply?, click the active profile, any or all profiles (Domain, Private, Public) to which you want this rule to apply, and then click Next.
- For Name type a name for this rule and for Description an optional description. Click Finish.
- Repeat steps for ICMPv6, selecting ICMPv6 for Protocol Type instead of ICMPv4.
If you have active connection security rules, it is also helpful for troubleshooting purposes to exempt ICMP from the IPsec requirements temporarily. To do this, in the Windows Firewall with Advanced Security snap-in, in the Properties dialog box, click the IPsec Settings tab and click Yes to Exempt ICMP from IPsec. This step is only necessary if you have active connection security rules on the computer that you are trying to ping
Configuring ICMP Settings
Updated: March 28, 2005
You can configure Windows Firewall so that ICMP version 4 (ICMPv4) and ICMP version 6 (ICMPv6) traffic is either blocked or allowed. The following table describes the ICMPv4 and ICMPv6 messages that you can control with Windows Firewall.
ICMP message Description Allow incoming echo request
Corresponds to ICMPv4 Type 8 (Echo) and ICMPv6 Type 128 (Echo Request) messages.
Allow incoming timestamp request
Corresponds to ICMPv4 Type 13 (Timestamp) messages.
Allow incoming mask request
Corresponds to ICMP Type 17 (Address Mask Request) messages.
Allow incoming router request
Corresponds to ICMP Type 9 (Router Solicitation) messages.
Allow outgoing destination unreachable
Corresponds to ICMPv4 Type 3 (Destination Unreachable) and ICMPv6 Type 1 (Destination Unreachable) messages.
Allow outgoing source quench
Corresponds to ICMP Type 4 (Source Quench) messages.
Allow outgoing parameter problem
Corresponds to ICMP Type 12 (Parameter Problem) and ICMPv6 Type 4 (Parameter Problem) messages.
Allow outgoing time exceeded
Corresponds to ICMP Type 11 (Time Exceeded) and ICMPv6 Type 3 (Time Exceeded) messages.
Allow redirect
Corresponds to ICMP Type 5 (Redirect) and ICMPv6 Type 137 (Neight Discovery Redirect) messages.
Allow outgoing packet too big
Corresponds to ICMPv6 Type 2 (Packet Too Big) messages.
If you do not enable the Allow incoming echo requests setting, commands that use the ICMP Echo message (also known as the ICMP Echo Request message), such as ping or tracert, will not work. If you are running network management software that uses ICMP Destination Unreachable messages, you need to enable the Allow outbound destination unreachable setting.
If you configure Windows Firewall so that traffic is allowed through TCP port 445, Windows Firewall will allow incoming ICMP Echo messages automatically. This is true even if you disable the Allow incoming echo requests setting, or you disable the Windows Firewall: Allow ICMP exceptions Group Policy setting, or you use the netsh firewall set icmpsetting 8 disable command. For example, there are two predefined service exceptions that allow traffic through TCP port 445: the File and Printer Sharing exception and the Remote Administration exception. If you enable either of these exceptions, and you allow unsolicited incoming traffic to pass through TCP port 445, other computers will be able to access your computer with the ping command.
When to perform this task
You should use these settings if your organization uses the ping or tracert commands for troubleshooting. Usually, you configure these settings only once or on an as-needed basis.
Task requirements
No special tools are required to perform this task.
Task procedures
To complete this task, perform the following procedure:
Block and Unblock ICMP Messages