cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1747
Views
0
Helpful
6
Replies

deny traceroute fail

acbenny
Level 1
Level 1

Hi all,

My objective is only to deny traceroute from 192.168.1.0/24 to 1.1.1.6(RouterC Wan interface)

Physical connection as below

RouterA->RouterB->RouterC

RouterA

interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip access-group 101 in

duplex auto

speed auto

access-list 101 deny icmp 192.168.1.0 0.0.0.255 host 1.1.1.6 traceroute

access-list 101 permit ip any any

But result show that I can ping and traceroute from PC host 192.168.1.10.

What command I wrong?

6 Replies 6

Edison Ortiz
Hall of Fame
Hall of Fame

Try this ACL

access-list 101 deny icmp host 1.1.1.6 192.168.1.0 0.0.0.255 unreachable

access-list 101 permit ip any any

I agree with Edison that blocking the unreachable messages is a more effective way to block traceroute. In the original post Jack had the access-group as in. For this access list to work it would need to be configured for out (since the ACL now has 1.1.1.6 as the source and 192.168.1.0 as the destination).

HTH

Rick

HTH

Rick

Rick,

ip access group 101 in can also be placed on the link connecting to RouterB.

I'm assuming RouterC is the host 1.1.1.6 and 192.168.1.0/24 is the subnet sitting behind RouterA.

Edison

Yes it could be placed on the interface to router B. And there is some marginal benefit in doing that since it would deny the packets before they go through the routing logic.

HTH

Rick

HTH

Rick

Pavel Bykov
Level 5
Level 5

Please remember, that traceroute is usually performed using UDP, not ICMP. ICMP is used only when the packet times out in transit and ICMP unreachable is sent back.

This should work:

access-list 101 deny udp 192.168.1.0 0.0.0.255 host 1.1.1.6 traceroute

access-list 101 permit ip any any

Previous posts have also valid points. Depends on how you want to block it.

Pavlo

In my experience whether traceroute uses UDP or ICMP depends on the OS of the end station. IOS devices and _nix boxes use UDP as you mention. But Windows uses ICMP. So what to put into the access list depends on what is on the source subnet.

I worry a bit about denying all unreachable messages and what you would no longer be informed about. But I do believe that if denying traceroute is important that denying the unreachable response is more effective than trying to deny the outbound probe packets.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: