From: Long Kwok (lkwok@ccieunix.com)
Date: Mon May 16 2005 - 19:19:29 GMT-3
Yea that was a poorly worded email on my part sorry about that , the
solution works great and well explained task , my question is just
related to that tasks subject material , I kind of went off on a tangent
, I saw what the solution showed as permitting the following: (not exact
as from IE book)
Access-list 100 permit icmp any any time-exceeded
Access-list 100 permit icmp any any port-unreachable
IE's solution has something similar to this (as just related to
traceroute) So I was like oh this is interesting as I always thought
that traceroute uses udp also ? So I modified this while doing this lab
task and instead thought what if we wanted to or were asked to deny
Traceroute say from R1 to R5's directly connected networks ? So say you
were told when you do tracerout 192.20.1.5 you should see all astericks/
AKA timeout.. So I denied the above ACL inbound to R5's Serial interface
facing R3 as depicted on IE's topo map , and R1 can still trace into
R5's Ethernet networks ??
TIA , Long
-----Original Message-----
From: simon hart [mailto:simon.hart@btinternet.com]
Sent: Monday, May 16, 2005 2:58 PM
To: Long Kwok; ccielab@groupstudy.com
Subject: RE: Blocking Traceroute IE Lab 2 Security section
Long,
The question is phrased such that the hosts within the network can
traceroute out of the network via R5, you are not suppossed to be
blocking
traceroute, but allowing it.
Now if you create an RACL that reflected and only reflected icmp
traffic,
would traceroute work??
HTH
Simon
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Long
Kwok
Sent: 16 May 2005 21:14
To: ccielab@groupstudy.com
Subject: Blocking Traceroute IE Lab 2 Security section
Hi,
In IE lab 2 in the security section they discuss having to setup RACL
that only permits icmp into your network when it was established from
inside your network , and also make sure traceroute works for users
sourcing behind R5.. Given this task , I am curious how would you say
block only tracerroute traffic but permit icmp echo requests/replies ? I
have tried various methods to block say only R1 to traceroute to R5's
Ethernet segments but blocking all icmp/ udp does not seem to do this .
So if R1 is the source of traceroute to say an Ethernet interface on R5
, I still get the complete path up to R5's serial interface facing R3 ?
I would assume that blocking icmp/udp inbound on R5's only path
(assuming isdn is down ) would prevent R1 from getting any responses
from any routers in the path , I would expect to get all * * * 's when
tracing into R5 ??
TIA , Long
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:58 GMT-3