RE: icmp filtering

From: Richard Dumoulin (richard.dumoulin@vanco.es)
Date: Tue Jun 08 2004 - 21:02:21 GMT-3

• Next message: Brian Dennis: "RE: icmp filtering"
• Previous message: Richard Dumoulin: "RE: icmp filtering"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Brian Dennis: "RE: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From this table it seems that ttl-exceeded is a particular case of
time-exceeded http://www.liquifried.com/docs/useful/ICMPtypes.html

--Richard

-----Original Message-----
From: Richard Dumoulin
Sent: miircoles, 09 de junio de 2004 1:53
To: Tom Rogers; Brian Dennis; ccie2be; Group Study
Subject: RE: icmp filtering

I believe they are the same. If you put a lower sequence number in your acl
to the time-exceeded line, you might see the counter increment for the
time-exceeded instead of the ttl-exceeded,

--Richard

-----Original Message-----
From: Tom Rogers [mailto:cccie71@yahoo.com]
Sent: miircoles, 09 de junio de 2004 1:41
To: Brian Dennis; Richard Dumoulin; ccie2be; Group Study
Subject: RE: icmp filtering

Brian,
I am confused here, is it time-exceeded ot ttl-exceeded and port-unreachable
or unreachables I just did the test and I see .....ttl-exceeded and
port-unreachable

counters increasing for port-unreachable for a valid trace from outside to
inside network ttl-exceeded counter increasing for unsuccessful trace
routes from outside to inside network.

Set up is like this (192.8.6.6)R6---------R5(s0/0)------(s0/0)R4---Rx---sw1

Rack08R5
!
interface Serial0/0
 ip address 192.8.12.5 255.255.255.0
 ip access-group TRACE-IN in
 ip access-group TRACE-OUT out

Rack08R5#clear ip access-list counters
Rack08R5#clear logging
Clear logging buffer [confirm]
Rack08R5#show ip access-lists TRACE-OUT
Extended IP access list TRACE-OUT
    permit icmp any any ttl-exceeded log-input
    permit icmp any any port-unreachable log-input
    permit icmp any any log-input
    permit icmp any any traceroute log-input
    permit icmp any any time-exceeded log-input
    permit icmp any any unreachable log-input
    permit ip any any (6 matches)
Rack08R5#show ip access-lists TRACE-IN
Extended IP access list TRACE-IN
    permit icmp any any ttl-exceeded log-input
    permit icmp any any port-unreachable log-input
    permit icmp any any log-input
    permit icmp any any traceroute log-input
    permit icmp any any time-exceeded log-input
    permit icmp any any unreachable log-input
    permit ip any any (60 matches)
Rack08R5#
NOW I GO TO SW1 TRACE TO A VALID HOST
consoleIE#10#7
[Resuming connection 7 to sw1 ... ]
..
Rack08SW1#traceroute 192.8.6.6
Type escape sequence to abort.
Tracing the route to 192.8.6.6
  1 192.8.30.3 0 msec 0 msec 0 msec
  2 192.8.7.1 12 msec 12 msec 8 msec
  3 192.8.12.5 16 msec 16 msec 12 msec
  4 192.8.91.6 16 msec * 16 msec
Rack08SW1#
consoleIE#10#5
[Resuming connection 5 to r5 ... ]
23:03:40: %S
U SEE 2 MATCHES for port-unreachable

Rack08R5#show ip access-lists TRACE-OUT
Extended IP access list TRACE-OUT
    permit icmp any any ttl-exceeded log-input
    permit icmp any any port-unreachable log-input (2 matches)
    permit icmp any any log-input
    permit icmp any any traceroute log-input
    permit icmp any any time-exceeded log-input
    permit icmp any any unreachable log-input
    permit ip any any (10 matches)
Rack08R5#
consoleIE#10#7
[Resuming connection 7 to sw1 ... ]
NOW I GO TO SW1 TRACE TO A INVALID HOST
Rack08SW1#traceroute 192.8.6.7
Type escape sequence to abort.
Tracing the route to 192.8.6.7
  1 192.8.30.3 4 msec 0 msec 0 msec
  2 192.8.7.1 12 msec 12 msec 8 msec
  3 192.8.12.5 16 msec 16 msec 16 msec
  4 192.8.91.6 16 msec 16 msec 16 msec
  5 * * *
  6
consoleIE#10#5
[Resuming connection 5 to r5 ... ]
U see 3 matches for ttl-exceeded

23:04:06: %
Rack08R5#show ip access-lists TRACE-OUT
Extended IP access list TRACE-OUT
    permit icmp any any ttl-exceeded log-input (3 matches)
    permit icmp any any port-unreachable log-input (2 matches)
    permit icmp any any log-input
    permit icmp any any traceroute log-input
    permit icmp any any time-exceeded log-input
    permit icmp any any unreachable log-input
    permit ip any any (18 matches)
Rack08R5#

Thanx
Tom
Brian Dennis <bdennis@internetworkexpert.com> wrote:

It's time-exceeded and not ttl-exceeded ;-)

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com Internetwork Expert, Inc.
http://www.InternetworkExpert.com Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Richard Dumoulin
Sent: Tuesday, June 08, 2004 3:41 PM
To: ccie2be; Group Study
Subject: RE: icmp filtering

Cisco traceroute does not use ping but ttl exceeded (or time-exceeded ?) and
port unreachable on the return path. And UDP packets with different ttl's on
the outgoing path !

--Richard

-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: miircoles, 09 de junio de 2004 0:37
To: Richard Dumoulin; Group Study
Subject: Re: icmp filtering

Thanks Richard, that's what I thought, but....

Unfortunately, your answer leads to another question.

Here's the scenario:

I want to allow pings and traceroutes to come back into my network but only
if they originated from within my network. Allow other traffic.

Here's what I thought the answer should be:

int s0
ip access-group PINGS-IN in
ip access-group PINGS-OUT out

ip access-list ext PINGS-IN
evaluate PINGS
permit ip any any

ip access-group ext PINGS-OUT
permit icmp any any reflect PINGS

I figured this should work since "permit icmp any any" allows all icmp
mesages types. And, since traceroute uses ping, there shouldn't be a
problem. But, the solution was very different.

Solution:

int s0
ip access-group PINGS-IN in
ip access-group PINGS-OUT out

ip access-list ext PINGS-IN
permit icmp any any ttl-exceeded
permit icmp any any unreachable
evaluate ICMP
deny icmp any any
permit ip any any

ip access-list ext PINGS-OUT
permit icmp any any reflect ICMP <-- Does this statement care what the
message type is? permit ip any any

*******************************

So, Richard, based on what you said in your earlier post, I would think that
any type of return icmp would be permited because permit icmp any any
reflect ICMP would create a permit entry for any type of return icmp traffic
regardless of type. But, this solution implies something way different.

Any thoughts?

Thanks, Tim

----- Original Message -----
From: "Richard Dumoulin"
To: "ccie2be" ; "Group Study"

Sent: Tuesday, June 08, 2004 5:46 PM
Subject: RE: icmp filtering

> It allows all icmp including ping's !!
>
> Do "permit icmp any any ?" and you'll see the options,
>
> --Richard
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: martes, 08 de junio de 2004 23:40
> To: Group Study
> Subject: icmp filtering
>
>
> Hi guys,
>
> I hope this isn't too dumb a question, but...
>
> Can someone confirm what this acl entry does?
>
> ip access-list ext ping
> permit (or deny) icmp any any <-----
>
> In particular, does this allow all icmp message types or just
> echo-request and echo-reply?
>
> I've search the Doc Cd and the whole of cisco.com but couldn't find
anything
> definative.
>
> I would think it would allow ( or deny) all icmp message types but,
> I'm doing practice IE lab 2, task 10.8 - 10.10 and the solution seems
> to indicate that it only permits message types echo-request and
> echo-reply.
>
> Any feedback would be appreciated. Also, if someone knows of any links
> which discusses in detail, please let me know.
>
> TIA, Tim
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> **********************************************************************
> Any opinions expressed in the email are those of the individual and
> not necessarily the company. This email and any files transmitted with
> it are confidential and solely for the use of the intended recipient.
> If you are not the intended recipient or the person responsible for
> delivering it to the intended recipient, be advised that you have
> received this email in error and that any dissemination, distribution,
> copying or use is strictly prohibited.
>
> If you have received this email in error, or if you are concerned with
> the content of this email please e-mail to:
> e-security.support@vanco.co.uk
>
> The contents of an attachment to this e-mail may contain software
> viruses which could damage your own computer system. While the sender
> has taken every reasonable precaution to minimise this risk, we cannot
> accept liability for any damage which you sustain as a result of
> software
viruses.
> You should carry out your own virus checks before opening any
> attachments
to
> this e-mail.
> **********************************************************************
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Brian Dennis: "RE: icmp filtering"
• Previous message: Richard Dumoulin: "RE: icmp filtering"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Brian Dennis: "RE: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:36 GMT-3