?
Solved

Ping and Trace Packets

Posted on 2003-02-21
24
Medium Priority
?
1,090 Views
Last Modified: 2012-06-27
I recently tried the following commands on a Cisco Router that is setup between an ISP and a private network.


config t

access-list 102 deny icmp any any echo-reply
access-list 102 deny icmp any any time-exceeded

int Serial0.1

ip access-group 102 in

the idea is to block traceroute and pings on this router, and everytime I apply that access list to the interface (it is the only access list), then the WHOLE internet goes down.

Any suggestions?
0
Comment
Question by:andgroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
  • 6
  • +2
24 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 7995945
There is an implied "deny any any" at the end of every access list.  If you are just trying to block ICMP, add

access-list 102 permit ip any any

0
 

Author Comment

by:andgroup
ID: 7996053
Allright...

I applied the access-list now with the permit ip any any at the end, and this time it did not take the internet down, however the traceroute and the pings are still working just fine.

Am I doing something wrong?  Should I apply the access-list to the main serial interface or the sub-interface, the IP address is on the sub-interface....

Thanks
John Woods
0
 
LVL 7

Expert Comment

by:pedrow
ID: 7996133
Are you trying to block people outside your network from pinging inside your network? or are you trying to prevent people inside your network from pinging outside?
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 

Author Comment

by:andgroup
ID: 7996154
trying to block people outside the network from pinging the external router... also I want to block traceroute to the outside world.  

thanks.
0
 

Author Comment

by:andgroup
ID: 7996159
trying to block people outside the network from pinging the external router... also I want to block traceroute to the outside world.  

thanks.
0
 

Author Comment

by:andgroup
ID: 7996234
Let me make that a little more clear, I have no intentions of placing any restrictions on the users INSIDE the network.  I want to disable traceroute and ping to the outside world.

Thanks...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7997264
If you don't want to restrict inside users from pinging external sources, or performing traceroutes, but you DO want to keep anyone on the Internet from being able to ping your serial interface of the router:

access-list 109 deny icmp any any
access-list 109 permit ip any any

interface serial 0/0
 ip access-group 109 out

0
 
LVL 7

Expert Comment

by:pedrow
ID: 7997379
hey-
 
wouldn't the above end out denying all inbound icmp types? (i'm asking)?

So if you're running a network with minimal filtering at the edge (last acl line '~permit ip any any') you would probably wanna explicitly say which icmp types you wanna let back into your network, so wouldn't you wanna do this?:

access-list 109 permit icmp any any echo-reply
access-list 109 permit icmp any any time-exceeded
access-list 109 permit icmp any any port-unreachable
access-list 109 permit icmp any any net-unreachable
access-list 109 permit icmp any any host-unreachable
access-list 109 permit icmp any any administratively-prohibited
access-list 109 permit icmp any any packet-too-big
!
access-list 109 deny icmp any any
access-list 109 permit ip any any
!

Also, to raise your shields even higher:

router(config)#int Serial0/0
router(config-int)#description Front Door
router(config-int)#no ip unreachables

This way traceroutes to your internal network or outside interface won't cough back an administrative denial, which looks like this:

hop
15 YourOutsideInterface.isp.net (1.2.3.4) [AS 1239] !A  *  !A

instead it will just look like dead space:
15 YourOutsideInterface.isp.net (1.2.3.4) [AS 1239] *  *  *
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7997579
pedrow, I like your idea better with the "no ip unreacables"
0
 
LVL 7

Expert Comment

by:pedrow
ID: 7997891
thanks!
it makes a nice finishing touch ;)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7999078
OHNOSECOND:
That fraction of time after hitting
enter in which you realize that you've
just permanently deleted the wrong file.

(or provided the wrong information)
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 7999963
Access list will only deny traffic going through the router. Traffic originating FROM the router will not be stopped by an ACL.

-don
0
 

Author Comment

by:andgroup
ID: 8005900
Question.

Pedrow's example has many permits.  Although my question was how to STOP pings and traceroutes from the outside.  

Wouldn't permitting an echo-reply, ENABLE pings instead of disabling them?

What is the meaning of the last comment by DonJohnston?  

Is it possible to stop people on the "INTERNET" from doing pings and traceroutes, to our internet router?  Since those packets wouldn't actually travel "THROUGH" the router?

Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8006078
I think I may have confused things, and pedrow has provided you the correct answer.
Under your serial interface, enter the command "no ip unreachables"
This will prevent the router from answering ping packets directed to it.

If you have any static nat statements, that alone will not prevent pinging your servers. You would need a custom inbound access list that permits echo-reply, ttl-exceeded, packet too big, and unreachables to come in so that you can use ping and traceroute from inside, but nobody on the Internet can ping anything on your net.

0
 

Author Comment

by:andgroup
ID: 8006126
The main thing that I do not want them to be able to PING or TRACEROUTE is the "external" or "public" interface on the ROUTER...
0
 

Author Comment

by:andgroup
ID: 8006131
There are no static NAT statements on this router...  So you are telling me that "no ip unreachables" is sufficent and the ONLY thing I need to do?

Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8006187
Actually, I just tried it on a live router and it did not have the desired effect.

If you don't currently have an inbound acl:

access-list 101 deny icmp any host <ip add of serial interface>
access-list 101 permit ip any any
!
Interface serial 0/0
 ip access-group 101 in

0
 
LVL 7

Expert Comment

by:pedrow
ID: 8006283
okay :)

time to clear things up.

icmp is composed of many different types of messages. Many types are responses that are coming back from an echo-request.

The long list of things that I put in my permit are the various types of replies that one might get back in response from an echo-request. You generally want to permit these back into your network.

The line:
access-list 109 deny icmp any any

at the end of the icmp permits, denys all other icmp traffic (principally, echo-requests from the internet..i.e. pings).

This will deny icmp traffic coming into your network from the internet. When someone tries to ping something in your network, they will receive a message from your router telling them that their echo-request has been administratively denied. Some traceroute applications don't show administrative denials, but traceroute on a cisco will show "!A" as the response in the traceroute.

the 'no ip unreachables' command on the interface, just prevents the router from replying at all to the echo-request(or anything else).

donjohnson's comment isn't really relevant, because i don't think you plan on having the public at large logging into your router to conduct ping scans of your internal network. He *is* correct in that pings originating from your router won't be blocked, but it seems to me that the router is part of your own administrative domain, so, who cares :)

So, in a nutshell, the access list is what denies pings and traceroutes from the internet. The no ip unreachables just says that if you're denying inbound traffic, you're not gonna tell the intruder 'not by the hair of my chinny-chin-chin',  but rather just not tell them anything (which I just prefer).

does that help?
0
 
LVL 7

Expert Comment

by:pedrow
ID: 8006544
more clarifications:

i said this about the various responses to an echo-request:
You generally want to permit these back into your network.

I should clarify this...meaning *I* generally want to let these back in. I've been on internal networks where admins don't let *any* icmp messages come back into the network. I think this breaks things, especially things like pathMTU discovery, as well as just being a major pain in the ass.

also-
echo-requests are also known as pings. echo requests can be responded to with a number of responses. Because icmp is yet another one of those protocols (ip protocol 1) that operate neither with ports nor with any notion of state, you have to permit them into your network if you want the types of information that icmp was designed to provide.

0
 

Author Comment

by:andgroup
ID: 8013206
Okay guys;

Here was the final solution that I came up with:

access-list 105 deny icmp any host <serial int ip>
access-list 105 deny icmp any host <ethernet int ip>
access-list 105 deny icmp any any
access-list 105 permit ip any any

config t
int Serial0.1
ip access-group 105 in


It seems to work perfectly.  One problem that I had was that the ISP seems to have been using a PRIVATE ip on the EXTERNAL interface, and they assigned the PUBLIC ip to the INTERNAL interface.  I understand that alot of ISP's do that type of thing.  So even when I disabled icmp traffic to the serial interface, the ethernet interface would still respond.  Disabling all of these seems to work.  I am still unsure on whether I could remove the first two lines, and that the "deny icmp any any" line would work?

Your thoughts?

Thanks
John Woods
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8013321
Your last line will deny icmp unreachables and echo reply coming back in response to pings from internal clients. You should permit unreachables, echo-reply, time-exceeded at the very least, or remove the line that says deny icmp any any
0
 
LVL 7

Expert Comment

by:pedrow
ID: 8013451
if you don't qualify what types of icmp you're denying, you're denying all of them.

Why are you just denying the two ip addresses?

here's the whole enchilada:

conf t
!
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any packet-too-big
access-list 109 deny icmp any any
access-list 109 permit ip any any
!
int Serial0.1
ip access-group 105 in
no ip unreachables
end

you *want* these reply messages to come back into your network, or at the very least, echo-replies(replies to pings), packet-too-big(for pathMTU resolution) and time-exceeded(traceroutes). That way youcan run ping and traceroute from your internal network to the world at large successfully. THe packet-too-big is so that if you run into servers that don't allow packet-fragmentation that your router can pass that info back to the originating internal hosts.
0
 
LVL 7

Accepted Solution

by:
pedrow earned 1000 total points
ID: 8013513
doh! sloppy copy/paste!

conf t
!
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any packet-too-big
access-list 101 deny icmp any any
access-list 101 permit ip any any
!
int Serial0.1
ip access-group 101 in
no ip unreachables
end
0
 

Author Comment

by:andgroup
ID: 8013764
Great job guys!
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question