If I block ICMP (ACL), would that effectively negate both Ping and Traceroute?
FrankGuthrie
Member Posts: 245
in CCNA & CCENT
Because they both use ICMP for functionality right. So filtering ICMP either by using an ACL/Firewall, will basically take out the use of both tools, or can it be that 1 of them will still work?
Comments
-
theodoxa Member Posts: 1,340 ■■■■□□□□□□That depends on the OS you are using. Some systems (*nix) use UDP for Traceroute. There is also a TCP Traceroute available on some systems.R&S: CCENT → CCNA → CCNP → CCIE [ ]
Security: CCNA [ ]
Virtualization: VCA-DCV [ ] -
satishtech Member Posts: 243Did the lab on PT :
Router(config)#access-list 110 deny icmp any any echo
Router(config)#permit ip any any
Router(config)#int g0/0
Router(config-if)#ip access-group 110 in
blocks ping and tracert -
FrankGuthrie Member Posts: 245Thanks. I also did in in Packet tracer and came to the same conclusion. So If you block one, you also block each other, this makes sense as they both use ICMP.
-
renhowek Registered Users Posts: 2 ■□□□□□□□□□That depends on the OS you are using. Some systems (*nix) use UDP for Traceroute. There is also a TCP Traceroute available on some systems.
Doesn't Traceroute use ICMP for sending TTL regardless? -
theodoxa Member Posts: 1,340 ■■■■□□□□□□Doesn't Traceroute use ICMP for sending TTL regardless?
It would have to be able to receive an ICMP TTL Exceeded message, so it would seem blocking all ICMP in all directions would block Traceroute from being able to receive a reply. The Traceroute packets (at least on a box using UDP) would still reach the various hops, you would just never receive the response.R&S: CCENT → CCNA → CCNP → CCIE [ ]
Security: CCNA [ ]
Virtualization: VCA-DCV [ ] -
FrankGuthrie Member Posts: 245It would have to be able to receive an ICMP TTL Exceeded message, so it would seem blocking all ICMP in all directions would block Traceroute from being able to receive a reply. The Traceroute packets (at least on a box using UDP) would still reach the various hops, you would just never receive the response.
So, the conclusion from this is that blocking ICMP will brake both trace route and ICMP, even if the traceroute implementation is using UDP (it will actually get ICMP replies back) -
sarahanand Member Posts: 52 ■■□□□□□□□□With traceroute the end device will respond back with an ICMP port unreachable message.You can specifically block the ICMP port unreachable message inbound on the source device, and that would block the traceroute from completing, yet letting the pings through.
(12.1.1.2) R1-R2-R3-R4 (34.1.1.4)
Before applying any access list, the traceroute from R1 to R4 is successful
R1#traceroute 34.1.1.4
Type escape sequence to abort.
Tracing the route to 34.1.1.4
1 12.1.1.2 44 msec 48 msec 52 msec
2 23.1.1.3 68 msec 68 msec 68 msec
3 34.1.1.4 72 msec 88 msec 72 msec
R1(config)#ip access-list extended 101
R1(config-ext-nacl)#deny icmp any any ?
<0-255> ICMP message type
----omitted
echo Echo (ping)
echo-reply Echo reply
----omitted
port-unreachable Port unreachable
R1(config-ext-nacl)#deny icmp any any port-unreachable --> Blocking ICMP port unreachable
R1(config-ext-nacl)#permit ip any any
R1#traceroute 34.1.1.4
Type escape sequence to abort.
Tracing the route to 34.1.1.4
1 12.1.1.2 44 msec 52 msec 44 msec
2 23.1.1.3 68 msec 68 msec 68 msec
3 * * * --> The ICMP port unreachable message inbound on R1 gets dropped here because of the ACL.
4
R1#ping 34.1.1.4 --> The pings are successful.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/84/96 ms
R1#show ip access-lists
Extended IP access list 101
10 deny icmp any any port-unreachable (18 matches)
20 permit ip any any (59 matches)
Here's a short video on blocking pings and ICMP unreachables on Cisco devices
https://www.youtube.com/watch?v=q-xKsoWz99I&feature=youtu.be