Verifying Router ACLs with Hping

In a previous post, Verifying a Firewall with Hping, I showed you how to verify that a firewall was performing as it should, using the ever so popular hping command. In this post, I will show you how to verify that an ACL is doing its duties and blocking the appropriate traffic. Before we break out hping and start firing packets at our Cisco router, lets create an ACL and apply it to an interface.

SC#configure terminal
SC(config)#ip access-list extended 100
SC(config-ext-nacl)#deny ip host any
SC(config-ext-nacl)#permit ip any any
SC(config)#interface fa 0/1
SC(config-if)#ip access-group 100 in

The above access list will deny any IP traffic from the host address, we applied the ACL inbound on the interface fa 0/1. The neat (scary?) thing about Cisco IOS is that when it denies a packet, it will send an ICMP Administrative Prohibit (type 3 code 13, for those who are curious) packet back to the source host.

If you don’t want your router to behave this way, for the fear that an attacker might use it to enumerate the router to find out what traffic is or isn’t permitted, I will explain how to silence your router at the end of this post.

Host is on the other side of the router, lets try to send a few IP packets through the router from, see what happens.

$ sudo hping3 --syn --count 4
HPING (eth2 S set, 40 headers + 0 data bytes
ICMP Packet filtered from ip= name=UNKNOWN
ICMP Packet filtered from ip= name=UNKNOWN
ICMP Packet filtered from ip= name=UNKNOWN
ICMP Packet filtered from ip= name=UNKNOWN
--- hping statistic ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

As you can see the router responses with an ICMP packet, notifying us that the packets have been filtered, so we know that ACL is doing its job and denying traffic from the

Now, if you wanted to disable this stimulus traffic from the router, you can do so with the following command

SC(config)#interface fa 0/1
SC(config-if)#no ip unreachables

Note, this is done on a per-interface level, so you can disable (a Cisco best practice) it for the outside interface and leave it enabled for the inside, if you wish. This command disables all ICMP unreachable packets from the router, the equivalent of using a sledge hammer to drive a finish nail, if you want to disable just ICMP Administrative Prohibited packets, you can create an access-list that drops packets from the interface address, the down side is you can’t just apply the access-list to the interface, as it won’t filter router generated traffic, you have to create a route-map that matches traffic against the ACL and apply that route-map to the local policy.

Whew, sounds like a lot of work, but it really isn’t. Below is my configuration.

SC(config)#ip access-list extended BlockICMPAdminProhited
SC(config-ext-nacl)#permit icmp host any administratively-prohibited
SC(config-ext-nacl)#deny ip any any
SC(config)#route-map LOCALPOLICY 10
SC(config-route-map)#match ip address BlockICMPAdminProhited
SC(config-route-map)#set interface Null 0
SC(config)#ip local policy route-map LOCALPOLICY

The ACL might look a little weird to some, the reason we permit the traffic we want to drop is because the route-map uses the ACL to define what traffic it will match and act upon.

In our case, any ICMP Administratively Prohibited packets from IP address will be matched and have the interface set to Null 0, effectively dropping the packet. Just, verify that the packets are being dropped, check the ACL.

SC#show ip access-lists BlockICMPAdminProhibited
Extended IP access list BlockICMPAdminProhibited
    10 permit icmp host any administratively-prohibited (3 matches)
    20 deny ip any any

Bingo! Traffic is being dropped with our local policy.

Jan 20th, 2011 • Posted in IOS, Linux
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>