Options

ICMP Disable

kaldroubykaldrouby Member Posts: 21 ■□□□□□□□□□
in CCNA & CCENT
[FONT=georgia,serif]Hi,
how would you disable all responses to "ping" or "traceroute" commands on a Cisco router?[/FONT]
[FONT=arial, sans-serif]Could you give me the command line?[/FONT]
[FONT=arial, sans-serif]for example to add [/FONT][FONT=georgia, serif]additional[/FONT][FONT=arial, sans-serif][FONT=georgia, serif] layer of security so you can hide your router from ping and [/FONT]trace route[FONT=georgia, serif] commands ?[/FONT][/FONT]

[FONT=arial, sans-serif]thanks !![/FONT]
· Share on FacebookShare on Twitter

Comments

  • Options
    spd3432spd3432 Member Posts: 224
    I'm not aware of a global command to disable ICMP. However, you could disable the various ICMP responses with extended ACLs applied to a interface.
    ----CCNP goal----
    Route [ ] Studying
    Switch [ ] Next
    Tshoot [ ] Eventually
    · Share on FacebookShare on Twitter
  • Options
    YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    In global configuration mode:

    -access-list [extended ACL number, between 100 - 199] deny icmp any any
    -access-list [extended ACL number, between 100 - 199] permit ip any any

    In interface configuration mode: ip access-group [ACL number] in

    Edit: I'm sure there are more specific ACLs one could create - I'm a relative n00b to ACL's.
    · Share on FacebookShare on Twitter
  • Options
    docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    The problem with "hiding" a device by denying ICMP is that it could potentially make troubleshooting more difficult. To be honest, it doesn't always do a good job of hiding it anyway. But if you really want to "stealth" a device in such a way, I'd recommend at least allowing traffic from the IT / network management network to be able to send and receive diagnostic traffic.

    And in general, I also recommend using named ACLs. I hate numbered ACLs since they really don't provide any context by its presence in an interface setting.

    ip access-list extended acl_givemeaname
    permit icmp 10.1.7.0 0.0.0.255 echo
    deny icmp any any log-input
    permit ip 10.1.1.0 0.0.0.255 any


    and then apply that to an interface. This assumes your management network is 10.1.7.0/24 and your user population is in 10.1.1.0/24. You also have to keep in mind that not all tracerouting is alike. Windows sends ICMP echo requests for traceroutes while Unix variants send UDP packets with destination ports in the 33434 - 33534. If you have any management interfaces exposed, you'll need to set up an ACL and apply it to the vty lines. I believe those may require standard ACLs, although with the newer IOS I think can use extended.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
    · Share on FacebookShare on Twitter
Sign In or Register to comment.