ICMP through your Border Router
by admin on Mar.14, 2007, under Networking, Routers
So ICMP is a double edge sword, it is great for helping you troubleshoot network issues and verifying the most basic connectivity is working. It also can give away a lot of information about what is going on in your network to people who shouldn’t know.
The question then becomes what kind of ICMP types do you let through access-lists that you have on your border routers. You want to be able to ping outside hosts and recieve the replys, you might want people to be able to ping your public facing servers, you are going to want to be able to traceroute outside of your network.
Here is my recommendation for your access-list:
deny icmp any any fragments
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit icmp any any source-quench
permit icmp any any packet-too-big
permit icmp any any time-exceeded
*Note this is just a section to the access-list not the entire access-list.
If you are thinking that the permit icmp any any traceroute will allow your traceroute from your windows box to function you will find that not the case. For Windows tracert you need to allow that permit icmp any any time-exceeded.
