deny traceroute

Unanswered Question
Oct 8th, 2007

Hi all,

What access-list I need to configure if deny traceroute from 192.168.1.0/24 to 192.168.2.0/24..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
royalblues Mon, 10/08/2007 - 00:36

You would be required to deny ICMP

access-list 101 deny icmp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip any any

apply the access-list inbound to the interface connecting to 192.168.1.0/24 network

This will block ICMP which includes, ping as well as trace

HTH

Narayan

Jon Marshall Mon, 10/08/2007 - 00:42

Hi

ip access-list extended dntrace

deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 option traceroute

permit ip any any

int fa0/0

ip address 192.168.1.1

ip access-group dntrace in

Edit - actually scrap this as i have just tested from a W2K server and it doesn't work !!- apologies.

HTH

Jon

Mohamed Sobair Mon, 10/08/2007 - 00:50

Hi,

kindly check bellow access-list and apply as close to the source as possible.

access-list 100 permit icmp 192.168.1.0 0.0.0.255 any echo

access-list 100 permit icmp any 192.168.1.0 0.0.0.255 echo-reply

access-list 100 deny icmp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 time-exceeded

access-list 100 permit ip any any

HTH

Mohamed Sobair

hobbe Mon, 10/08/2007 - 02:35

First we do not know what type of device you have. so depending on what device you have you might have to rewrite this just a tad.

for a 3750 switch it would look something like this

access-list 111 deny icmp any any traceroute

for a firewall such as ASA or pix with v7.x i would think it would be something like this: access-list 111 extended deny icmp any any traceroute

and version 6.x would be

access-list 111 deny icmp any any eq traceroute

or something similar

and yes of course you would have to add it to wichever interface it should belong to.

ie. the access-group command

and if you use any, then you block any, if you want to block just the ones you have specified then you just write the addresses with subnetmasks instead of any, in a switch it can be somewhat confusing since it uses a wildcard mask instead of the "more natural and normal way". ie if the subnet is 255.255.255.0 then the wildcard would be 0.0.0.255 and so on.

good luck

Richard Burts Mon, 10/08/2007 - 04:57

In addition to considering what device the access list will be configured on I believe that we also need to consider what device(s) will be generating the traceroute because that determines what type of packet is used in the traceroute. If Windows end stations are doing tracert then the packets are pings (manipulating the TTL) but if the end stations are IOS or _nix then the traceroute packets are UDP with various higher port numbers (and manipulating the TTL).

It seems to me that the approach of deny icmp any any is overly broad and certainly breaks useful things like Path MTU Discovery. I believe that a more appropriate solution would be to deny the TTL exceeded message and the port unreachable message. Note that doing this would be configured as an outbound filter on the interface which is toward the devices doing the traceroute.

HTH

Rick

acbenny Tue, 10/09/2007 - 01:23

Refer to Narayan reply.

How about if I want to separate the purpose

(1) Only deny traceroute but able to ping

(2) Only deny ping but able to traceroute

Thx !

Richard Burts Tue, 10/09/2007 - 02:53

In reference to Narayan reply I believe that a blanket deny ICMP between the addresses is overly broad. It will certainly stop traceroute but will stop a lot of other things also.

As I stated in my response if you want to deny traceroute with minimal impact on other things then deny the specific ICMP messages for TTL exceeded and for port unreachable. If you want to deny ping then deny ICMP echo-request and ICMP echo-reply.

HTH

Rick

Actions

This Discussion