Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
817
Views
0
Helpful
4
Replies

Private IPs showing up in external Traceroutes

d.worthley
Level 1
Level 1

‎08-20-2009 05:25 AM - edited ‎03-04-2019 05:47 AM

I am running EBGP with 2 routers on the internet. These routers are running OSPF with Private P2P links neighbored up to my Core where I am extending the public address space to VRF. When I do any external traceroutes inbound from the internet, I am seeing the Private P2P IP addresses showing up in the traceroute. How do I prevent this from happening?

Labels:
0 Helpful
4 Replies 4

johnspaulding
Level 1
Level 1

‎08-20-2009 05:45 AM

You can block the following icmp ports:

example:

deny icmp any any port-unreachables

deny icmp any any ech-reply

deny icmp any any time-exceeded

permit ip any any

This will stop the traceroute from showing you public IP. Let me know if this was what your looking for.

0 Helpful

d.worthley
Level 1
Level 1
In response to johnspaulding

‎08-20-2009 06:01 AM

If I apply that to the public side of my external routers inbound ACL, that will block ICMP totally. I am looking to enable ICMP but just do not want the private P2Ps to show up in the echo-replies. This is the example below:

CAT3750#traceroute 97.65.22.176

Type escape sequence to abort.

Tracing the route to 97.65.22.176

1 192.168.1.1 0 msec 0 msec 0 msec

2 * * *

3 68.85.94.21 8 msec 16 msec 26 msec

4 te-9-1-ur01.palatka.fl.jacksvil.comcast.net (68.85.225.26) 16 msec 17 msec 17 msec

5 te-9-1-ur01.staugustine.fl.jacksvil.comcast.net (68.85.225.2) 17 msec 25 msec 17 msec

6 te-5-3-ar01.southsiderdc.fl.jacksvil.comcast.net (68.85.225.29) 25 msec 25 msec 17 msec

7 te-0-2-0-5-ar03.pompanobeach.fl.pompano.comcast.net (68.85.229.229) 25 msec 25 msec 25 msec

8 pos-0-7-0-0-ar03.northdade.fl.pompano.comcast.net (68.86.164.5) 25 msec 25 msec 25 msec

9 pos-0-3-0-0-cr01.miami.fl.ibone.comcast.net (68.86.91.221) 25 msec 25 msec 25 msec

10 pos-2-3-0-0-cr01.atlanta.ga.ibone.comcast.net (68.86.85.193) 42 msec 42 msec 42 msec

11 pos-1-14-0-0-cr01.dallas.tx.ibone.comcast.net (68.86.85.153) 59 msec 59 msec 75 msec

12 64.132.69.249 59 msec 68 msec 58 msec

13 199.227.21.78 76 msec 76 msec 67 msec

14 199.227.21.78 75 msec 76 msec 67 msec

15 *

10.2.254.6 67 msec 75 msec

16 * * *

17 * * *

18 * *

My internal P2P IP 10.2.254.6 is showing up on my external traceroute.

0 Helpful

johnspaulding
Level 1
Level 1
In response to d.worthley

‎08-20-2009 06:19 AM

All you should need to do is disable ICMP port-unreachables and time-exceeded. This will prevent device to show in the traceroute.

deny icmp any any port-unreachables

deny icmp any any time-exceeded

permit ip any any - allow everything else

You actually shouldn't need to disable the echo-reply.

0 Helpful

johnspaulding
Level 1
Level 1
In response to johnspaulding

‎08-20-2009 06:39 AM

Im sorry I wasn't thinking inbound direction..Thats going to be a UDP port range..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card