ICMP Disable
kaldrouby
Member Posts: 21 ■□□□□□□□□□
in CCNA & CCENT
[FONT=georgia,serif]Hi,
how would you disable all responses to "ping" or "traceroute" commands on a Cisco router?[/FONT]
[FONT=arial, sans-serif]Could you give me the command line?[/FONT]
[FONT=arial, sans-serif]for example to add [/FONT][FONT=georgia, serif]additional[/FONT][FONT=arial, sans-serif][FONT=georgia, serif] layer of security so you can hide your router from ping and [/FONT]trace route[FONT=georgia, serif] commands ?[/FONT][/FONT]
[FONT=arial, sans-serif]thanks !![/FONT]
how would you disable all responses to "ping" or "traceroute" commands on a Cisco router?[/FONT]
[FONT=arial, sans-serif]Could you give me the command line?[/FONT]
[FONT=arial, sans-serif]for example to add [/FONT][FONT=georgia, serif]additional[/FONT][FONT=arial, sans-serif][FONT=georgia, serif] layer of security so you can hide your router from ping and [/FONT]trace route[FONT=georgia, serif] commands ?[/FONT][/FONT]
[FONT=arial, sans-serif]thanks !![/FONT]
Comments
-
spd3432 Member Posts: 224I'm not aware of a global command to disable ICMP. However, you could disable the various ICMP responses with extended ACLs applied to a interface.----CCNP goal----
Route [ ] Studying
Switch [ ] Next
Tshoot [ ] Eventually -
YFZblu Member Posts: 1,462 ■■■■■■■■□□In global configuration mode:
-access-list [extended ACL number, between 100 - 199] deny icmp any any
-access-list [extended ACL number, between 100 - 199] permit ip any any
In interface configuration mode: ip access-group [ACL number] in
Edit: I'm sure there are more specific ACLs one could create - I'm a relative n00b to ACL's. -
docrice Member Posts: 1,706 ■■■■■■■■■■The problem with "hiding" a device by denying ICMP is that it could potentially make troubleshooting more difficult. To be honest, it doesn't always do a good job of hiding it anyway. But if you really want to "stealth" a device in such a way, I'd recommend at least allowing traffic from the IT / network management network to be able to send and receive diagnostic traffic.
And in general, I also recommend using named ACLs. I hate numbered ACLs since they really don't provide any context by its presence in an interface setting.ip access-list extended acl_givemeaname
permit icmp 10.1.7.0 0.0.0.255 echo
deny icmp any any log-input
permit ip 10.1.1.0 0.0.0.255 any
and then apply that to an interface. This assumes your management network is 10.1.7.0/24 and your user population is in 10.1.1.0/24. You also have to keep in mind that not all tracerouting is alike. Windows sends ICMP echo requests for traceroutes while Unix variants send UDP packets with destination ports in the 33434 - 33534. If you have any management interfaces exposed, you'll need to set up an ACL and apply it to the vty lines. I believe those may require standard ACLs, although with the newer IOS I think can use extended.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/