RE: icmp filtering

From: Richard Dumoulin (richard.dumoulin@vanco.es)
Date: Tue Jun 08 2004 - 19:40:58 GMT-3

• Next message: Tamer Mohamed Bayomy: "PBX failure Tracing to switch to the backup PRI"
• Previous message: Hunt Lee: "MGCP or SCCP question - OT"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Brian Dennis: "RE: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Cisco traceroute does not use ping but ttl exceeded (or time-exceeded ?) and
port unreachable on the return path. And UDP packets with different ttl's on
the outgoing path !

--Richard

-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: miircoles, 09 de junio de 2004 0:37
To: Richard Dumoulin; Group Study
Subject: Re: icmp filtering

Thanks Richard, that's what I thought, but....

Unfortunately, your answer leads to another question.

Here's the scenario:

I want to allow pings and traceroutes to come back into my network but only
if they originated from within my network. Allow other traffic.

Here's what I thought the answer should be:

int s0
ip access-group PINGS-IN in
ip access-group PINGS-OUT out

ip access-list ext PINGS-IN
evaluate PINGS
permit ip any any

ip access-group ext PINGS-OUT
permit icmp any any reflect PINGS

I figured this should work since "permit icmp any any" allows all icmp
mesages types. And, since traceroute uses ping, there shouldn't be a
problem. But, the solution was very different.

Solution:

int s0
ip access-group PINGS-IN in
ip access-group PINGS-OUT out

ip access-list ext PINGS-IN
permit icmp any any ttl-exceeded
permit icmp any any unreachable
evaluate ICMP
deny icmp any any
permit ip any any

ip access-list ext PINGS-OUT
permit icmp any any reflect ICMP <-- Does this statement care what the
message type is? permit ip any any

*******************************

So, Richard, based on what you said in your earlier post, I would think that
any type of return icmp would be permited because permit icmp any any
reflect ICMP would create a permit entry for any type of return icmp traffic
regardless of type. But, this solution implies something way different.

Any thoughts?

Thanks, Tim

----- Original Message -----
From: "Richard Dumoulin" <richard.dumoulin@vanco.es>
To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study" <ccielab@groupstudy.com>
Sent: Tuesday, June 08, 2004 5:46 PM
Subject: RE: icmp filtering

> It allows all icmp including ping's !!
>
> Do "permit icmp any any ?" and you'll see the options,
>
> --Richard
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: martes, 08 de junio de 2004 23:40
> To: Group Study
> Subject: icmp filtering
>
>
> Hi guys,
>
> I hope this isn't too dumb a question, but...
>
> Can someone confirm what this acl entry does?
>
> ip access-list ext ping
> permit (or deny) icmp any any <-----
>
> In particular, does this allow all icmp message types or just
> echo-request and echo-reply?
>
> I've search the Doc Cd and the whole of cisco.com but couldn't find
anything
> definative.
>
> I would think it would allow ( or deny) all icmp message types but,
> I'm doing practice IE lab 2, task 10.8 - 10.10 and the solution seems
> to indicate that it only permits message types echo-request and
> echo-reply.
>
> Any feedback would be appreciated. Also, if someone knows of any
> links which discusses in detail, please let me know.
>
> TIA, Tim
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> **********************************************************************
> Any opinions expressed in the email are those of the individual and
> not necessarily the company. This email and any files transmitted with
> it are confidential and solely for the use of the intended recipient.
> If you are not the intended recipient or the person responsible for
> delivering it to the intended recipient, be advised that you have
> received this email in error and that any dissemination, distribution,
> copying or use is strictly prohibited.
>
> If you have received this email in error, or if you are concerned with
> the content of this email please e-mail to:
> e-security.support@vanco.co.uk
>
> The contents of an attachment to this e-mail may contain software
> viruses which could damage your own computer system. While the sender
> has taken every reasonable precaution to minimise this risk, we cannot
> accept liability for any damage which you sustain as a result of
> software
viruses.
> You should carry out your own virus checks before opening any
> attachments
to
> this e-mail.
> **********************************************************************
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Tamer Mohamed Bayomy: "PBX failure Tracing to switch to the backup PRI"
• Previous message: Hunt Lee: "MGCP or SCCP question - OT"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Brian Dennis: "RE: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:36 GMT-3