From: simon hart (simon.hart@btinternet.com)
Date: Mon May 16 2005 - 18:58:22 GMT-3
Long,
The question is phrased such that the hosts within the network can
traceroute out of the network via R5, you are not suppossed to be blocking
traceroute, but allowing it.
Now if you create an RACL that reflected and only reflected icmp traffic,
would traceroute work??
HTH
Simon
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of Long
Kwok
Sent: 16 May 2005 21:14
To: ccielab@groupstudy.com
Subject: Blocking Traceroute IE Lab 2 Security section
Hi,
In IE lab 2 in the security section they discuss having to setup RACL
that only permits icmp into your network when it was established from
inside your network , and also make sure traceroute works for users
sourcing behind R5.. Given this task , I am curious how would you say
block only tracerroute traffic but permit icmp echo requests/replies ? I
have tried various methods to block say only R1 to traceroute to R5's
Ethernet segments but blocking all icmp/ udp does not seem to do this .
So if R1 is the source of traceroute to say an Ethernet interface on R5
, I still get the complete path up to R5's serial interface facing R3 ?
I would assume that blocking icmp/udp inbound on R5's only path
(assuming isdn is down ) would prevent R1 from getting any responses
from any routers in the path , I would expect to get all * * * 's when
tracing into R5 ??
TIA , Long
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:58 GMT-3