If I block ICMP (ACL), would that effectively negate both Ping and Traceroute?

Because they both use ICMP for functionality right. So filtering ICMP either by using an ACL/Firewall, will basically take out the use of both tools, or can it be that 1 of them will still work?

Find more posts tagged with

Comments

DCD

That would be a good lab to try.

theodoxa

That depends on the OS you are using. Some systems (*nix) use UDP for Traceroute. There is also a TCP Traceroute available on some systems.

Deathmage

That was a nifty little lab.

satishtech

Did the lab on PT :
Router(config)#access-list 110 deny icmp any any echo
Router(config)#permit ip any any

Router(config)#int g0/0
Router(config-if)#ip access-group 110 in

blocks ping and tracert

FrankGuthrie

Thanks. I also did in in Packet tracer and came to the same conclusion. So If you block one, you also block each other, this makes sense as they both use ICMP.

renhowek

theodoxa wrote: »

That depends on the OS you are using. Some systems (*nix) use UDP for Traceroute. There is also a TCP Traceroute available on some systems.

Doesn't Traceroute use ICMP for sending TTL regardless?

theodoxa

renhowek wrote: »

Doesn't Traceroute use ICMP for sending TTL regardless?

It would have to be able to receive an ICMP TTL Exceeded message, so it would seem blocking all ICMP in all directions would block Traceroute from being able to receive a reply. The Traceroute packets (at least on a box using UDP) would still reach the various hops, you would just never receive the response.

FrankGuthrie

theodoxa wrote: »

It would have to be able to receive an ICMP TTL Exceeded message, so it would seem blocking all ICMP in all directions would block Traceroute from being able to receive a reply. The Traceroute packets (at least on a box using UDP) would still reach the various hops, you would just never receive the response.

So, the conclusion from this is that blocking ICMP will brake both trace route and ICMP, even if the traceroute implementation is using UDP (it will actually get ICMP replies back)

sarahanand

With traceroute the end device will respond back with an ICMP port unreachable message.You can specifically block the ICMP port unreachable message inbound on the source device, and that would block the traceroute from completing, yet letting the pings through.

(12.1.1.2) R1-R2-R3-R4 (34.1.1.4)

Before applying any access list, the traceroute from R1 to R4 is successful

R1#traceroute 34.1.1.4

Type escape sequence to abort.
Tracing the route to 34.1.1.4

1 12.1.1.2 44 msec 48 msec 52 msec
2 23.1.1.3 68 msec 68 msec 68 msec
3 34.1.1.4 72 msec 88 msec 72 msec

R1(config)#ip access-list extended 101
R1(config-ext-nacl)#deny icmp any any ?
<0-255> ICMP message type
----omitted

echo Echo (ping)
echo-reply Echo reply
----omitted

port-unreachable Port unreachable

R1(config-ext-nacl)#deny icmp any any port-unreachable --> Blocking ICMP port unreachable
R1(config-ext-nacl)#permit ip any any
R1#traceroute 34.1.1.4

Type escape sequence to abort.
Tracing the route to 34.1.1.4

1 12.1.1.2 44 msec 52 msec 44 msec
2 23.1.1.3 68 msec 68 msec 68 msec
3 * * * --> The ICMP port unreachable message inbound on R1 gets dropped here because of the ACL.
4

R1#ping 34.1.1.4 --> The pings are successful.

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/84/96 ms

R1#show ip access-lists
Extended IP access list 101
10 deny icmp any any port-unreachable (18 matches)
20 permit ip any any (59 matches)

Here's a short video on blocking pings and ICMP unreachables on Cisco devices

https://www.youtube.com/watch?v=q-xKsoWz99I&feature=youtu.be