Correct me if I am wrong, but it sounds like this person is trying to block the people on the internal network from mapping it as they travel to Internet targets. To do this Cisco ACLs on the routers denying Time Exceeded in Transit (ICMP Type 11) packets should do the trick. The statements would be In the form, access-list access-list-number [dynamic dynamic-name [timeout minutes]] deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] IE, access-list 106 deny icmp any 192.168.1.0 0.0.0.255 11 access-list 106 permit ip any any Apply this outbound on the internal interface with the command IE, Config t Interface Ethernet 1 access-group 106 out exit This assumes 192.168.1.0 0.0.0.255 is the internal network where the trace routes originate and that E1 on the cisco router is the interface on that subnet. This should block the reposnses to the trace routes so the internal users will not be able to map past the local router interface.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/cs/csp rtn1/csip.htm#xtocid273892 (Watch Wrap) http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp-code.html Ken Claussen MCSE CCNA CCA "In Theory it should work as you describe, but the difference between theory and reality is the truth! For this we all strive" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Laura A. Robinson Sent: Wednesday, March 06, 2002 3:34 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: How to hide IP's in Trace Well put! Laura ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 06, 2002 3:21 PM Subject: Re: How to hide IP's in Trace > On 7 Mar 2002, at 0:25, Amarnath Gutta wrote: > > > Hi All, > > > > I have Private IP's address in my network which I want to conceal > > in traceroutes. Say a customer traces to any IP on internet he is > > able to map my private network also which I want to prevent. So how > > can I hide the private ip's in the traceroutes. I use cisco > > routers. > > > > Any suggestions are welcome. > > > > Regards > > > > Amar > > It sounds like you don't want your firewall to allow ICMP replies. > > But even if your firewall allows ICMP replies from internal > machines, then any servers for which you have static NAT mappings > will respond -- and the responses, being NATted, will show the IPs > that the servers map to and not the internal IP addresses of the > actual machines. > Any internal clients relying on PAT will never see the ICMP > requests, which will be addressed to the firewall. > If you have a NAT pool, then machines currently mapped into the > pool may respond on their current mapped addresses -- but since those > addresses are subject to change, this mapping is of limited use to an > attacker. > > So although you may be happier blocking ICMP replies -- if your > firewall lets you choose that option -- I don't think the risk is as > bad as you fear. If you have a firewall that doesn't let you block > ICMP replies, I would not lose sleep over it. > > David Gillett > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
