RE: ICMP and Traceroute

[Houser David DW <david.houser () zcswilm zeneca com>]

A couple of ideas that might help - 

Depending on your needs for troubleshooting, Traceroute may be just as
helpful from the outside towards you.  There are a number of sites that
allow this, start at http://www.amazing.com/internet/club-traceroute.html



As for the PING, maybe you'd consider allowing the inside to initiate a ping
outward, then from the outside only allow the Ping Response?  This is more
palatable than allowing all ICMP opened up both ways.   For instance, on a
Cisco, this might be 

internal netwk  ------  Rtr --------------- External netwk   e.g.
100.100.100.x
                    ACL 101 out

        access-list 101 permit icmp 100.100.100.0 0.0.0.255 any echo-reply
to allow the router to pass back the Ping response from the external
network, in response to a Ping that would have been initiated
internally.


DWH

> ----------
> From:         Deepak Vaidya[SMTP:dvaidya () clark net]
> Sent:         Monday, May 17, 1999 1:26 PM
> To:   firewall-wizards () nfr net
> Subject:      ICMP and Traceroute
>
>
> Two more questions that came from the same group who need access to dns
> outbound.  They would like to be able to ping and traceroute external
> hosts from all the clients.
>
> We currently do not allow icmp and traceroute packets in or out bound.  We
> block all those at the router level.  The group is responsible for
> client network and security design and they would like ping and
> traceroute for troubleshooting networks.
>
> Thanks
> - Deepak