jimmy6154
asked on
Allow ping but not tracert
Is there a way to allow ping through a 1721 cisco router, but not Traceroute? I know you can get pretty granular with ICMP, but it seems that tracert needs to echo from ping to work.
thanks
thanks
I don't think so. Both use ICMP packets and so if you disable ICMP (which is NOT recommended by the way) you will disable both PING and TRACERT.
OK -- I think you can achieve this result, given some basic understanding of traceroute.
REMEMBER: Traceroute only reports ROUTER hops, not switches or anything else.
So in the 1721, create an access-list denying ICMP traffic to your internal routers. People can ping you, but cannot traceroute your internal network.
the list would look something like this
access-list 101 deny icmp any host [ip.address.of.router] 255.255.255.255
and then apply the access-list to the interface.
REMEMBER: Traceroute only reports ROUTER hops, not switches or anything else.
So in the 1721, create an access-list denying ICMP traffic to your internal routers. People can ping you, but cannot traceroute your internal network.
the list would look something like this
access-list 101 deny icmp any host [ip.address.of.router] 255.255.255.255
and then apply the access-list to the interface.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I concur with mikebernhardt, except to add: don't forget to apply the access list to an interface on the router (usually the one closest to the source of the traffic is best practice).
Example based on mikebernhardt's scenario above, and assuming fast ethernet 0/0 is facing the source of the traffic:
int fast0/0
Example based on mikebernhardt's scenario above, and assuming fast ethernet 0/0 is facing the source of the traffic:
int fast0/0
rats...hit enter too soon...continuation of above thread
int fast0/0
ip access-group 101 in
int fast0/0
ip access-group 101 in
ASKER
that worked perfect! thank you for the fast replies.
========================== =====
It's easy:
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 deny icmp any any time-exceeded
========================== =====
==========================
It's easy:
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 deny icmp any any time-exceeded
==========================