10-10-2007 06:51 PM - edited 03-03-2019 07:07 PM
Hi all,
My objective is only to deny traceroute from 192.168.1.0/24 to 1.1.1.6(RouterC Wan interface)
Physical connection as below
RouterA->RouterB->RouterC
RouterA
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
duplex auto
speed auto
access-list 101 deny icmp 192.168.1.0 0.0.0.255 host 1.1.1.6 traceroute
access-list 101 permit ip any any
But result show that I can ping and traceroute from PC host 192.168.1.10.
What command I wrong?
10-10-2007 08:34 PM
Try this ACL
access-list 101 deny icmp host 1.1.1.6 192.168.1.0 0.0.0.255 unreachable
access-list 101 permit ip any any
10-11-2007 02:27 AM
I agree with Edison that blocking the unreachable messages is a more effective way to block traceroute. In the original post Jack had the access-group as in. For this access list to work it would need to be configured for out (since the ACL now has 1.1.1.6 as the source and 192.168.1.0 as the destination).
HTH
Rick
10-11-2007 04:41 AM
Rick,
ip access group 101 in can also be placed on the link connecting to RouterB.
I'm assuming RouterC is the host 1.1.1.6 and 192.168.1.0/24 is the subnet sitting behind RouterA.
10-11-2007 04:55 AM
Edison
Yes it could be placed on the interface to router B. And there is some marginal benefit in doing that since it would deny the packets before they go through the routing logic.
HTH
Rick
10-11-2007 02:59 AM
Please remember, that traceroute is usually performed using UDP, not ICMP. ICMP is used only when the packet times out in transit and ICMP unreachable is sent back.
This should work:
access-list 101 deny udp 192.168.1.0 0.0.0.255 host 1.1.1.6 traceroute
access-list 101 permit ip any any
Previous posts have also valid points. Depends on how you want to block it.
10-11-2007 03:15 AM
Pavlo
In my experience whether traceroute uses UDP or ICMP depends on the OS of the end station. IOS devices and _nix boxes use UDP as you mention. But Windows uses ICMP. So what to put into the access list depends on what is on the source subnet.
I worry a bit about denying all unreachable messages and what you would no longer be informed about. But I do believe that if denying traceroute is important that denying the unreachable response is more effective than trying to deny the outbound probe packets.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: