Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Not allow trace and ping packet

Posted on 2003-02-21
7
Medium Priority
?
1,388 Views
Last Modified: 2012-06-21
Are Trace and Ping packets the same ?

And How to disable "trace" and "ping" to pass through CISCO router ?
0
Comment
Question by:leumas
  • 3
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7993000
Are they the same? NO. They use two different icmp "types"

To block outbound at the router:

# block ping
access-list 101 deny icmp any any eq echo
# block traceroute
access-list 101 deny icmp any any eq time-exceeded

interface Ethernet 0/0
 ip access-group 101 in


If you just want to block the returns (same effect really)
# block ping replys:
access-list 101 deny icmp any any eq echo-reply
access-list 101 deny icmp any any eq time-exceeded

interface serial 0/0
 ip access-group 101 in
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7994137
You can't get a more concise answer that that.
0
 

Author Comment

by:leumas
ID: 8014167
Hello Irmoor , I use
"access-list 101 deny icmp any any time-exceeded"
"access-list 101 permit ip any any"
and then put into the fastethernet interface like
"ip access-group 101 in"

I can still ping and tracert through my router. But if I use

"access-list 101 deny icmp any any echo" instead of
"access-list 101 deny icmp any any time-exceeded"
I cannot do both "ping" and "tracert" through out my router.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 79

Expert Comment

by:lrmoore
ID: 8014214
Yes. If you block "echo" outbound, then you will block all forms of ICMP including traceroute.
Are you trying to block them from going out so that users cannot ping or do traceroutes, or block the router from responding to them from the internet?
0
 

Author Comment

by:leumas
ID: 8016362
If I want uses to go out by ping but not by traceroute and vice versa. How can I do ?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 8016439
If you want to permit ping, but not traceroute, then you have to permit echo-reply, block time-exceeded at the ingress (serial interface)

access-list 101 permit icmp any any echo-reply
access-list 101 deny icmp any any
access-list 101 permit ip any any

serial 0/0
 ip access-group 101 in


If you want to permit traceroute, but block ping replys, switch it around, permit time-exceeded, permit unreachables, deny echo-reply

access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny icmp any any
access-list 101 permit ip any any

serial 0/0
 ip access-group 101 in

I'm not sure what you are really trying to accomplish, because blocking ICMP can break other things like black hole detect, path mtu discovery, ident, and other things that can have a dramatic impact on performance of your network.

0
 

Author Comment

by:leumas
ID: 8032969
Thanks a lot.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question