Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

totally closing icmp & traceroute

i wanted a solution to totally close ping and traceroute on my 2500, other than doing it with access-list....penetration test has reported this as vulnerability

thx.

3 REPLIES

Re: totally closing icmp & traceroute

Disabling traceroute can be achieved with the interface command:

no ip unreachables

Disabling ICMP echo should be done with an extended access-list that denies ICMPs from undesired sources.

New Member

Re: totally closing icmp & traceroute

hi,

ive tried no ip unreachables command on both the interfaces but am stil facing the same problem

thx

New Member

Re: totally closing icmp & traceroute

You might want to try this to stop udp based traces.

access-list 199 deny udp any range 32769 65535 any range 33434 33523

access-list 199 permit ip any any

Then apply it to a edge interface both in and out.. A previous poster gave the right info for blocking icmp echo requests and replys..

231
Views
0
Helpful
3
Replies
CreatePlease to create content