?
Solved

Not allow trace and ping packet

Posted on 2003-02-21
7
Medium Priority
?
1,382 Views
Last Modified: 2012-06-21
Are Trace and Ping packets the same ?

And How to disable "trace" and "ping" to pass through CISCO router ?
0
Comment
Question by:leumas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7993000
Are they the same? NO. They use two different icmp "types"

To block outbound at the router:

# block ping
access-list 101 deny icmp any any eq echo
# block traceroute
access-list 101 deny icmp any any eq time-exceeded

interface Ethernet 0/0
 ip access-group 101 in


If you just want to block the returns (same effect really)
# block ping replys:
access-list 101 deny icmp any any eq echo-reply
access-list 101 deny icmp any any eq time-exceeded

interface serial 0/0
 ip access-group 101 in
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7994137
You can't get a more concise answer that that.
0
 

Author Comment

by:leumas
ID: 8014167
Hello Irmoor , I use
"access-list 101 deny icmp any any time-exceeded"
"access-list 101 permit ip any any"
and then put into the fastethernet interface like
"ip access-group 101 in"

I can still ping and tracert through my router. But if I use

"access-list 101 deny icmp any any echo" instead of
"access-list 101 deny icmp any any time-exceeded"
I cannot do both "ping" and "tracert" through out my router.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 79

Expert Comment

by:lrmoore
ID: 8014214
Yes. If you block "echo" outbound, then you will block all forms of ICMP including traceroute.
Are you trying to block them from going out so that users cannot ping or do traceroutes, or block the router from responding to them from the internet?
0
 

Author Comment

by:leumas
ID: 8016362
If I want uses to go out by ping but not by traceroute and vice versa. How can I do ?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 8016439
If you want to permit ping, but not traceroute, then you have to permit echo-reply, block time-exceeded at the ingress (serial interface)

access-list 101 permit icmp any any echo-reply
access-list 101 deny icmp any any
access-list 101 permit ip any any

serial 0/0
 ip access-group 101 in


If you want to permit traceroute, but block ping replys, switch it around, permit time-exceeded, permit unreachables, deny echo-reply

access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny icmp any any
access-list 101 permit ip any any

serial 0/0
 ip access-group 101 in

I'm not sure what you are really trying to accomplish, because blocking ICMP can break other things like black hole detect, path mtu discovery, ident, and other things that can have a dramatic impact on performance of your network.

0
 

Author Comment

by:leumas
ID: 8032969
Thanks a lot.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question