Re: icmp filtering

From: ccie2be (ccie2be@nyc.rr.com)
Date: Tue Jun 08 2004 - 22:15:01 GMT-3

• Next message: P729: "Re: Sort of OT: Hardware Queues on Serial Interfaces"
• Previous message: Scott Morris: "RE: Sort of OT: Hardware Queues on Serial Interfaces"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Brian Dennis: "RE: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Brian. I think I've got it now. I forgot about that stuff regarding
Cisco's implementation of traceroute not using icmp.

BTW, how did find out about Cisco's implementation of traceroute? Is that
documented somewhere? If so, where?

Thanks again.

----- Original Message -----
From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study" <ccielab@groupstudy.com>
Sent: Tuesday, June 08, 2004 7:17 PM
Subject: RE: icmp filtering

> ***************
> Since a traceroute uses ping, and the icmp message type isn't
considered
> since all messages types are allowed, wouldn't any type of icmp
message
> type
> be allowed back in by virtue of the "permit icmp any any reflect ICMP"
and
> therefore negate the need for explicitly allowing
> the icmp time-exceeded and unreachable message types?
>
> **********************

Cisco traceroute doesn't use ICMP, it uses UDP. Read Lab 3 task 10.1 -
10.3 breakdown for more info.

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705

> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Tuesday, June 08, 2004 6:07 PM
> To: Brian McGahan; Group Study
> Subject: Re: icmp filtering
>
> Thanks for getting back to me.
>
> See comments in-line.
> ----- Original Message -----
> From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
<ccielab@groupstudy.com>
> Sent: Tuesday, June 08, 2004 6:02 PM
> Subject: RE: icmp filtering
>
>
> Tim,
>
> What about the question and solution implies this? The question
> says:
>
> "Configure your network so that ICMP traffic is only allowed into your
> network if the traffic was initiated from behind R5. For diagnostic
and
> troubleshooting purposes, ensure that users throughout your network
are
> still able to traceroute from behind R5."
>
> The solution is:
>
> R5:
> interface Ethernet0/1
> ip access-group DENY_SNMP in
> ip access-group EVALUATE_ICMP out
> !
> ip access-list extended DENY_SNMP
> deny udp any any eq snmp
> permit icmp any any time-exceeded
> permit icmp any any unreachable
> evaluate ICMP
> deny icmp any any
> permit ip any any
> !
> ip access-list extended EVALUATE_ICMP
> permit icmp any any reflect ICMP
> permit ip any any
>
> Essentially you are watching ICMP traffic that is exiting:
>
> permit icmp any any reflect ICMP
>
> and you are allowing it back in only if was initiated from the
> inside:
>
> evaluate ICMP
> deny icmp any any
>
> ***************
> Since a traceroute uses ping, and the icmp message type isn't
considered
> since all messages types are allowed, wouldn't any type of icmp
message
> type
> be allowed back in by virtue of the "permit icmp any any reflect ICMP"
and
> therefore negate the need for explicitly allowing
> the icmp time-exceeded and unreachable message types?
>
> **********************
>
> but you are allowing trace replies back:
>
> permit icmp any any time-exceeded
> permit icmp any any unreachable
>
> How does this relate to echo or echo-reply?
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > ccie2be
> > Sent: Tuesday, June 08, 2004 4:40 PM
> > To: Group Study
> > Subject: icmp filtering
> >
> > Hi guys,
> >
> > I hope this isn't too dumb a question, but...
> >
> > Can someone confirm what this acl entry does?
> >
> > ip access-list ext ping
> > permit (or deny) icmp any any <-----
> >
> > In particular, does this allow all icmp message types or just
> echo-request
> > and
> > echo-reply?
> >
> > I've search the Doc Cd and the whole of cisco.com but couldn't find
> > anything
> > definative.
> >
> > I would think it would allow ( or deny) all icmp message types but,
> I'm
> > doing
> > practice IE lab 2, task 10.8 - 10.10 and the solution seems to
> indicate
> > that
> > it only permits message types echo-request and echo-reply.
> >
> > Any feedback would be appreciated. Also, if someone knows of any
> links
> > which
> > discusses in detail, please let me know.
> >
> > TIA, Tim
> >
> >
>

• Next message: P729: "Re: Sort of OT: Hardware Queues on Serial Interfaces"
• Previous message: Scott Morris: "RE: Sort of OT: Hardware Queues on Serial Interfaces"
• Maybe in reply to: ccie2be: "icmp filtering"
• Next in thread: Brian Dennis: "RE: icmp filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:36 GMT-3