CISC-RT-000170 - The Cisco router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.


The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Step 1: Disable ip unreachables on all external interfaces.

R4(config)#int g0/1
R4(config-if)#no ip unreachables

Step 2: Disable ip unreachables on the Null0 interface if it is used to backhole packets.

R4(config-if)#int null 0
R4(config-if)#no ip unreachables

Alternative - DODIN Backbone:

Configure the PE router to rate limit ICMP unreachable messages as shown in the example below:

R4(config)#ip icmp rate-limit unreachable df 100
R4(config)#ip icmp rate-limit unreachable 100000

Alternative - Non DODIN Backbone.

An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the router and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps:

Step 1: Configure ACL to include ICMP Type 3 Code 1 (Host Unreachable) and Code 13 (Administratively Prohibited) as shown in the example below:

R2(config)#ip access-list ext ICMP_T3C1C13
R2(config-ext-nacl)#permit icmp any any host-unreachable
R2(config-ext-nacl)#permit icmp any any administratively-prohibited

Step 2: Create a route map to forward these ICMP messages to the Null0 interface.

R2(config)#route-map LOCAL_POLICY
R2(config-route-map)#match ip address ICMP_T3C1C13
R2(config-route-map)#set interface Null0

Step 3: Configure no ip unreachables on the Null0 interface.

R2(config)#int null 0
R2(config-if)#no ip unreachables

Step 4: Apply the policy to filter messages generated by the router.

R2(config)#ip local policy route-map LOCAL_POLICY

See Also

Item Details


References: 800-53|SC-5, CAT|II, CCI|CCI-002385, Rule-ID|SV-216565r531085_rule, STIG-ID|CISC-RT-000170, STIG-Legacy|SV-105669, STIG-Legacy|V-96531, Vuln-ID|V-216565

Plugin: Cisco

Control ID: 9cdba41b2211e92eb02b6925a1b60ee4f13dc8abe4b54bd708f979cf791b2704