cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14240
Views
10
Helpful
8
Replies

deny traceroute

acbenny
Level 1
Level 1

Hi all,

What access-list I need to configure if deny traceroute from 192.168.1.0/24 to 192.168.2.0/24..

8 Replies 8

royalblues
Level 10
Level 10

You would be required to deny ICMP

access-list 101 deny icmp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip any any

apply the access-list inbound to the interface connecting to 192.168.1.0/24 network

This will block ICMP which includes, ping as well as trace

HTH

Narayan

Jon Marshall
Hall of Fame
Hall of Fame

Hi

ip access-list extended dntrace

deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 option traceroute

permit ip any any

int fa0/0

ip address 192.168.1.1

ip access-group dntrace in

Edit - actually scrap this as i have just tested from a W2K server and it doesn't work !!- apologies.

HTH

Jon

I believe you are right, this will allow ICMP traffic and blocks only the tracerout right. 

Please do not hesitate to click the STAR button if you are satisfied with my answer.

Mohamed Sobair
Level 7
Level 7

Hi,

kindly check bellow access-list and apply as close to the source as possible.

access-list 100 permit icmp 192.168.1.0 0.0.0.255 any echo

access-list 100 permit icmp any 192.168.1.0 0.0.0.255 echo-reply

access-list 100 deny icmp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 time-exceeded

access-list 100 permit ip any any

HTH

Mohamed Sobair

hobbe
Level 7
Level 7

First we do not know what type of device you have. so depending on what device you have you might have to rewrite this just a tad.

for a 3750 switch it would look something like this

access-list 111 deny icmp any any traceroute

for a firewall such as ASA or pix with v7.x i would think it would be something like this: access-list 111 extended deny icmp any any traceroute

and version 6.x would be

access-list 111 deny icmp any any eq traceroute

or something similar

and yes of course you would have to add it to wichever interface it should belong to.

ie. the access-group command

and if you use any, then you block any, if you want to block just the ones you have specified then you just write the addresses with subnetmasks instead of any, in a switch it can be somewhat confusing since it uses a wildcard mask instead of the "more natural and normal way". ie if the subnet is 255.255.255.0 then the wildcard would be 0.0.0.255 and so on.

good luck

In addition to considering what device the access list will be configured on I believe that we also need to consider what device(s) will be generating the traceroute because that determines what type of packet is used in the traceroute. If Windows end stations are doing tracert then the packets are pings (manipulating the TTL) but if the end stations are IOS or _nix then the traceroute packets are UDP with various higher port numbers (and manipulating the TTL).

It seems to me that the approach of deny icmp any any is overly broad and certainly breaks useful things like Path MTU Discovery. I believe that a more appropriate solution would be to deny the TTL exceeded message and the port unreachable message. Note that doing this would be configured as an outbound filter on the interface which is toward the devices doing the traceroute.

HTH

Rick

HTH

Rick

Refer to Narayan reply.

How about if I want to separate the purpose

(1) Only deny traceroute but able to ping

(2) Only deny ping but able to traceroute

Thx !

In reference to Narayan reply I believe that a blanket deny ICMP between the addresses is overly broad. It will certainly stop traceroute but will stop a lot of other things also.

As I stated in my response if you want to deny traceroute with minimal impact on other things then deny the specific ICMP messages for TTL exceeded and for port unreachable. If you want to deny ping then deny ICMP echo-request and ICMP echo-reply.

HTH

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card