Re: icmp filtering

From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Tue Jun 08 2004 - 20:21:34 GMT-3

• Next message: Mark Lewis: "RE: VPN connection + tunnels"
• Previous message: ccie2be: "Re: icmp filtering"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Tom Rogers: "RE: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hmm, ttl-exceeded sounds better :-)

Still the issue on what is opened by the reflect was not covered.
I have not tried this exact one, but reflect seems to be prety
"intelligent" and only opens the corresponding icmp type.

i.e. if seen "src A dst B type echo"
it opens "src B dst A type echo-reply"

I saw no way of telling though other than testing (and you need some
generator like nemesis for so doing).

Brian Dennis wrote:

> It's time-exceeded and not ttl-exceeded ;-)
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Richard Dumoulin
> Sent: Tuesday, June 08, 2004 3:41 PM
> To: ccie2be; Group Study
> Subject: RE: icmp filtering
>
> Cisco traceroute does not use ping but ttl exceeded (or time-exceeded ?)
> and
> port unreachable on the return path. And UDP packets with different
> ttl's on
> the outgoing path !
>
> --Richard
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: miircoles, 09 de junio de 2004 0:37
> To: Richard Dumoulin; Group Study
> Subject: Re: icmp filtering
>
>
> Thanks Richard, that's what I thought, but....
>
> Unfortunately, your answer leads to another question.
>
> Here's the scenario:
>
> I want to allow pings and traceroutes to come back into my network but
> only
> if they originated from within my network. Allow other traffic.
>
> Here's what I thought the answer should be:
>
> int s0
> ip access-group PINGS-IN in
> ip access-group PINGS-OUT out
>
> ip access-list ext PINGS-IN
> evaluate PINGS
> permit ip any any
>
> ip access-group ext PINGS-OUT
> permit icmp any any reflect PINGS
>
>
> I figured this should work since "permit icmp any any" allows all icmp
> mesages types. And, since traceroute uses ping, there shouldn't be a
> problem. But, the solution was very different.
>
> Solution:
>
> int s0
> ip access-group PINGS-IN in
> ip access-group PINGS-OUT out
>
> ip access-list ext PINGS-IN
> permit icmp any any ttl-exceeded
> permit icmp any any unreachable
> evaluate ICMP
> deny icmp any any
> permit ip any any
>
> ip access-list ext PINGS-OUT
> permit icmp any any reflect ICMP <-- Does this statement care what the
> message type is? permit ip any any
>
> *******************************
>
> So, Richard, based on what you said in your earlier post, I would think
> that
> any type of return icmp would be permited because permit icmp any any
> reflect ICMP would create a permit entry for any type of return icmp
> traffic
> regardless of type. But, this solution implies something way different.
>
> Any thoughts?
>
> Thanks, Tim
>
>
>
>
> ----- Original Message -----
> From: "Richard Dumoulin" <richard.dumoulin@vanco.es>
> To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> <ccielab@groupstudy.com>
> Sent: Tuesday, June 08, 2004 5:46 PM
> Subject: RE: icmp filtering
>
>
>
>>It allows all icmp including ping's !!
>>
>>Do "permit icmp any any ?" and you'll see the options,
>>
>>--Richard
>>
>>-----Original Message-----
>>From: ccie2be [mailto:ccie2be@nyc.rr.com]
>>Sent: martes, 08 de junio de 2004 23:40
>>To: Group Study
>>Subject: icmp filtering
>>
>>
>>Hi guys,
>>
>>I hope this isn't too dumb a question, but...
>>
>>Can someone confirm what this acl entry does?
>>
>>ip access-list ext ping
>>permit (or deny) icmp any any <-----
>>
>>In particular, does this allow all icmp message types or just
>>echo-request and echo-reply?
>>
>>I've search the Doc Cd and the whole of cisco.com but couldn't find
>
> anything
>
>>definative.
>>
>>I would think it would allow ( or deny) all icmp message types but,
>>I'm doing practice IE lab 2, task 10.8 - 10.10 and the solution seems
>>to indicate that it only permits message types echo-request and
>>echo-reply.
>>
>>Any feedback would be appreciated. Also, if someone knows of any
>>links which discusses in detail, please let me know.
>>
>>TIA, Tim
>>
>>______________________________________________________________________
>>_
>>Please help support GroupStudy by purchasing your study materials
>
> from:
>
>>http://shop.groupstudy.com
>>
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>**********************************************************************
>>Any opinions expressed in the email are those of the individual and
>>not necessarily the company. This email and any files transmitted with
>>it are confidential and solely for the use of the intended recipient.
>>If you are not the intended recipient or the person responsible for
>>delivering it to the intended recipient, be advised that you have
>>received this email in error and that any dissemination, distribution,
>>copying or use is strictly prohibited.
>>
>>If you have received this email in error, or if you are concerned with
>>the content of this email please e-mail to:
>>e-security.support@vanco.co.uk
>>
>>The contents of an attachment to this e-mail may contain software
>>viruses which could damage your own computer system. While the sender
>>has taken every reasonable precaution to minimise this risk, we cannot
>>accept liability for any damage which you sustain as a result of
>>software
>
> viruses.
>
>>You should carry out your own virus checks before opening any
>>attachments
>
> to
>
>>this e-mail.
>>**********************************************************************
>>
>>______________________________________________________________________
>>_
>>Please help support GroupStudy by purchasing your study materials
>
> from:
>
>>http://shop.groupstudy.com
>>
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Carlos G Mendioroz  <tron@huapi.ba.ar>  LW7 EQI  Argentina

• Next message: Mark Lewis: "RE: VPN connection + tunnels"
• Previous message: ccie2be: "Re: icmp filtering"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Tom Rogers: "RE: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:36 GMT-3