Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

closing traceroute and icmp

how can we totally close traceroute and icmp..vulnerability test shows they are open on my 2500

thx a lot

2 REPLIES
New Member

Re: closing traceroute and icmp

You could use an ACL that looks something like this:

inbound:

access-list 101 deny icmp any any

or

access-list 101 deny icmp any any echo # If you just want to stop incoming pings

outbound:

access-list 102 deny icmp any any unreachable

access-list 102 deny icmp any any time-exceeded

The 101 will stop pings from coming in, but it will also stop echo replies (a ping you iniate) from getting back to you.

Traceroute is more difficult. Traceroute is nothing more than a UDP packet that looks for a certain ICMP response from a router or host. If it receives an ICMP time exceeded message then the client knows that it is a router. If it is an ICMP unreachable then it has found the target host.

The 102 will stop all responses to traceroutes rendering the trace useless. It does not stop the initial traceroute packet at the router, it only stops the response.

Kevin

Kevin

New Member

Re: closing traceroute and icmp

thx kevin..but what am after is, totally closing the icmp and traceroute service..like closing the finger, you will invoke the no sevice finger..

188
Views
0
Helpful
2
Replies
CreatePlease to create content