asked on

Allow ping but not tracert

Is there a way to allow ping through a 1721 cisco router, but not Traceroute? I know you can get pretty granular with ICMP, but it seems that tracert needs to echo from ping to work.

thanks

jhance

I don't think so. Both use ICMP packets and so if you disable ICMP (which is NOT recommended by the way) you will disable both PING and TRACERT.

RPPreacher

OK -- I think you can achieve this result, given some basic understanding of traceroute.

REMEMBER: Traceroute only reports ROUTER hops, not switches or anything else.

So in the 1721, create an access-list denying ICMP traffic to your internal routers. People can ping you, but cannot traceroute your internal network.

the list would look something like this

access-list 101 deny icmp any host [ip.address.of.router] 255.255.255.255

and then apply the access-list to the interface.

ASKER CERTIFIED SOLUTION

mikebernhardt

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

rburns50

I concur with mikebernhardt, except to add: don't forget to apply the access list to an interface on the router (usually the one closest to the source of the traffic is best practice).

Example based on mikebernhardt's scenario above, and assuming fast ethernet 0/0 is facing the source of the traffic:

int fast0/0

rburns50

rats...hit enter too soon...continuation of above thread

int fast0/0
ip access-group 101 in

jimmy6154

ASKER

that worked perfect! thank you for the fast replies.

===============================
It's easy:
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 deny icmp any any time-exceeded
===============================