On 7 Mar 2002, at 0:25, Amarnath Gutta wrote: > Hi All, > > I have Private IP's address in my network which I want to conceal > in traceroutes. Say a customer traces to any IP on internet he is > able to map my private network also which I want to prevent. So how > can I hide the private ip's in the traceroutes. I use cisco > routers. > > Any suggestions are welcome. > > Regards > > Amar
It sounds like you don't want your firewall to allow ICMP replies. But even if your firewall allows ICMP replies from internal machines, then any servers for which you have static NAT mappings will respond -- and the responses, being NATted, will show the IPs that the servers map to and not the internal IP addresses of the actual machines. Any internal clients relying on PAT will never see the ICMP requests, which will be addressed to the firewall. If you have a NAT pool, then machines currently mapped into the pool may respond on their current mapped addresses -- but since those addresses are subject to change, this mapping is of limited use to an attacker. So although you may be happier blocking ICMP replies -- if your firewall lets you choose that option -- I don't think the risk is as bad as you fear. If you have a firewall that doesn't let you block ICMP replies, I would not lose sleep over it. David Gillett _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
