• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3566
  • Last Modified:

Allow ping but not tracert

Is there a way to allow ping through a 1721 cisco router, but not Traceroute? I know you can get pretty granular with ICMP, but it seems that tracert needs to echo from ping to work.

thanks
0
jimmy6154
Asked:
jimmy6154
1 Solution
 
jhanceCommented:
I don't think so.  Both use ICMP packets and so if you disable ICMP (which is NOT recommended by the way) you will disable both PING and TRACERT.
0
 
RPPreacherCommented:
OK -- I think you can achieve this result, given some basic understanding of traceroute.

REMEMBER: Traceroute only reports ROUTER hops, not switches or anything else.

So in the 1721, create an access-list denying ICMP traffic to your internal routers.  People can ping you, but cannot traceroute your internal network.

the list would look something like this

access-list 101 deny icmp any host [ip.address.of.router] 255.255.255.255

and then apply the access-list to the interface.
0
 
mikebernhardtCommented:
It's easy:
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 deny icmp any any time-exceeded

Traceroute uses time exceeded messages plus some udp. So the aobve will just cause * to appear once it hits your router. The above allows ping both ways, you might want to allow echo-reply inbound while blocking echos inbound- so inside people can ping and get replies, but outside people outside can't ping in.

Remember that access lists have an implicit deny at the end. So anything not specifically permitted will be denied once the access list is applied. In the above case ONLY ping will be allowed, no other traffic. So use it as part of a list only!
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
rburns50Commented:
I concur with mikebernhardt, except to add: don't forget to apply the access list to an interface on the router (usually the one closest to the source of the traffic is best practice).

Example based on mikebernhardt's scenario above, and assuming fast ethernet 0/0 is facing the source of the traffic:

int fast0/0
0
 
rburns50Commented:
rats...hit enter too soon...continuation of above thread

int fast0/0
ip access-group 101 in
0
 
jimmy6154Author Commented:
that worked perfect! thank you for the fast replies.

===============================
It's easy:
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 deny icmp any any time-exceeded
===============================

0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now