Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
0
Helpful
2
Replies

closing traceroute and icmp

rpalacio
Level 1
Level 1

‎01-17-2003 11:55 AM - edited ‎03-02-2019 04:17 AM

how can we totally close traceroute and icmp..vulnerability test shows they are open on my 2500

thx a lot

Labels:
0 Helpful
2 Replies 2

kevin-reynolds
Level 1
Level 1

‎01-17-2003 12:33 PM

You could use an ACL that looks something like this:

inbound:

access-list 101 deny icmp any any

or

access-list 101 deny icmp any any echo # If you just want to stop incoming pings

outbound:

access-list 102 deny icmp any any unreachable

access-list 102 deny icmp any any time-exceeded

The 101 will stop pings from coming in, but it will also stop echo replies (a ping you iniate) from getting back to you.

Traceroute is more difficult. Traceroute is nothing more than a UDP packet that looks for a certain ICMP response from a router or host. If it receives an ICMP time exceeded message then the client knows that it is a router. If it is an ICMP unreachable then it has found the target host.

The 102 will stop all responses to traceroutes rendering the trace useless. It does not stop the initial traceroute packet at the router, it only stops the response.

Kevin

Kevin

0 Helpful

rpalacio
Level 1
Level 1
In response to kevin-reynolds

‎01-19-2003 06:41 AM

thx kevin..but what am after is, totally closing the icmp and traceroute service..like closing the finger, you will invoke the no sevice finger..

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card