Forum Discussion
fLyf5_21542
Nimbostratus
NimbostratusHiding f5 LTM ip address in the traceroute
I have f5-LTM inline device in my network and have got a requirement not to show the device ip address in the traceroute taken from inside network. Could you please help me on this. Device should pass traceroute traffic but instead of displaying its ip address, I want to see **** instead of ip address.
5 Replies
hoolioCirrostratus
Hi KM,
I don't think it's possible to pass ICMP packets yet have the IP reported as something other than the IP addresses.
Aaron- JRahm
Admin
it's a shot in the dark, but you could try defining a bogus address (not routable in your org's context) that's higher or lower than your valid self-ip on the same vlan and see if the ttl=0 response is generated by one of them. 
epaalxCirrus
> I don't think it's possible to pass ICMP packets yet have the IP reported as something other than the IP addresses.
traceroute relies on two things:
- originator progressively incrementing ping's TTL this progressively causing TTL==0 condition at each hop (enroute to its destination)
- relying on that hop to return ICMP "Time exceeded" with own IP.
Like any L3 device, a (routing) firewall is obliged to return its own IP, but it doesn't have to - it can act transparent to ping (or TTL) - it's a security issue and a default configuration for (many routing) firewalls. So, OP's question is legitimate and reasonable.
fLyf5_21542Can we mask the ip address using an i-rule; something like checking the ICMP TTL packet and changing theip or masking the ip.- fLyf5_21542Can we mask the ip address using an i-rule; something like checking the ICMP TTL packet and changing the ip or masking the ip.
