Re: set srcIP for ICMP replies, or for locally sourced connections?

Attach an ACL to the WAN interface (direction "in") that specifies to which IP addresses (interfaces) you will permit ICMP.

The direction is specified by the keyword "in", in the following example:

ip access-group <acl-name> in

For security reasons, you should actually specify the "types" of ICMP you wish to permit (e.g.: echo-reply, time-exceeded, unreachable, administratively-prohibited, packet-too-big, source-quench, parameter-problem). Some types of ICMP should definitely be denied.

Other info of interest:

Extended ping (via the CLI) permits you to specify the source IP address that will be used in the outbound ping, which then becomes the destination IP address in the reply packet.

"Inspection" applied on a LAN interface will open temporary dynamic holes in the return path ACLs to accommodate replies to pings sent from internal hosts.


Best Regards,
News Reader


Phil Begriffenfeldt wrote:
I'd like to block traffic to my routers from outside my network; but still to allow my routers to traceroute/ping to hosts outside my network; and reply to traceroutes sourced outside the network.

Is there a way to force ICMP replies to come from a particular IP address? For example, something like "ip icmp source-interface loopback2", where the ICMP messages generated by my routers would come from a source IP that I can specify? That would help to hide interface IPs from casual miscreants.

Alternatively, I could try to block all packets entering my network with destination IPs of my internal links. But that would block replies from simple outbound pings and traceroutes from router CLI sessions. If there were a way to bind locally-sourced ping and traceroute to a particular source IP on each router, then that would also be helpful.

Perhaps blocking at the network edge is not productive, and I should be using Control Plane Policing for this? Router platform is mix of VXR and 3BXL.
.

Relevant Pages

  • Sourcing ICMP reply to a different ip address
    ... Is there anyway to source the ICMP reply on ... Client runs traceroute to a host routed by the FreeBSD router. ... arrives on FreeBSD router's FXP0 interface. ...
    (freebsd-net)
  • Re: Traceroutes to Cisco Routers
    ... Subject: Traceroutes to Cisco Routers ... Performing the trace with udp packets, the router ... answers with it's ip address of the interface closest to you (external ... Performing traces with icmp, the ...
    (Pen-Test)
  • Re: XP-SP2 "Feature"
    ... in which case ICMP is not required. ... never be enabled on the ICF interface anyway. ... so is incoming pings. ... The real uncomfortable thing here is for home users. ...
    (Focus-Microsoft)
  • Re: How do I stop my PC from returning a "Ping"?
    ... to send out packets and retrieve the incoming replies as well. ... I would bet that he is behind a router, the router is getting the IP ... The router probably can be set up to disable ICMP ... >> Hmmm, but "ping of death" attacks could be pretty major, should they ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Help - Tried almost everything!
    ... In the previous message I gave you a link to Google, ... I've spent hours searching ... > still have no answer why the ICMP still goes out every ... >>>>Hosts send ICMP Router Solicitation messages to the all ...
    (microsoft.public.security)