Cisco Support Community
Community Member

Reflexive access-lists for traceroute... Possible?

Gurus of all things Cisco...

I want to set up an ACL that denys inbound traceroute both to my router and internal networks. I know that on some Unix and Linux operating systems, traceroute uses UDP packets to causes routers along the path to generate ICMP message types ‘Time Exceeded’ and ‘Unreachable’. This would tell me that I need to block UDP on port range 33400 through 34400. i.e.: access-list 100 deny udp any any range 33400 34400 log

Here's the tricky part... I want to allow traceroute to be sent FROM my internal network for various purposes. If I arbitrarily block those port ranges on an inbound ACL, won't the return reply be blocked?

This leads me to think that a reflexive ACL for traceroute is the answer so I can permit traceroute to return ONLY if initiated from the internal network.. But I can't find enough info in the RFC to determine the following:

1. Does the port number change during the session (like TFTP i.e. application source port to destination port 69 ---> Application source port to originator's source ports as destination).. If this is that case, reflexive ACLs won't work and the packet will be denied.

2. OR... does at traceroute from these machines only go out as a UDP packet to generate the ICMP message and "return" as an ICMP packet? If this is true, I assume my current ACLS that permit ICMP echo replies, and deny ICMP echos are insufficient and need to be modified to permit type 3 (time-exceeded) and type 11 (Unreachable). Do I also need to specifically deny type 30 (traceroute)?

Thnaks for the help!!!

Community Member

Re: Reflexive access-lists for traceroute... Possible?

You can't effectively block an inbound traceroute since you can use *any* TCP or UDP packet.

However, you may place an outbound ACL blocking ICMP type 11 code 0 from being returned to the originator.

Other ideas?


CreatePlease to create content