RE: ICMP/Traceroute Question

From: Lab Rat #109385382 (techlist01@gmail.com)
Date: Mon Nov 13 2006 - 00:08:21 ART

So, if a lab question asks "permit all traceroute replies back in through
the router's Serial0/0/0 ACL" then that answer would be:

Interface Serial0/0/0
ip access-list extended INFILT
permit icmp any any time-exceeded
permit icmp any any port-unreachable

...and that's it?

Does it "hurt" you to add "unreachable" and "echo-reply" into there as well?

Thanks,

Ed

-----Original Message-----
From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
Sent: Sunday, November 12, 2006 5:31 PM
To: Lab Rat #109385382; cisco@groupstudy.com; ccie >> Cisco certification;
security@groupstudy.com
Subject: RE: ICMP/Traceroute Question

Technically you would need to know the implementation of the traceroute
application since traceroute can be ICMP, UDP, or even TCP based. In a
Cisco lab environment we can safely assume that it will be UDP based
traceroute. This means that UDP packets are sent out by the source.
ICMP time-exceeded packets are sent back by the intermediate routers in the
path and finally an ICMP port unreachable packet is sent from the
destination.

UDP based traceroute:

[root@CoachZ root]# traceroute -m 15 www.cisco.com traceroute to
www.cisco.com (198.133.219.25), 15 hops max, 38 byte packets
 1 204.12.34.254 (204.12.34.254) 1.943 ms 2.008 ms 1.886 ms
 2 foo.hostrack.net (204.10.14.254) 4.812 ms 4.326 ms 4.273 ms
 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 23.205 ms
21.072 ms 20.975 ms
 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 21.675 ms
21.281 ms 21.378 ms
 5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 21.393 ms 20.683 ms
21.007 ms
 6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.766 ms 33.290 ms
27.366 ms
 7 0.so-1-1-0.XL1.SJC2.ALTER.NET (152.63.50.153) 46.132 ms 45.544 ms
45.734 ms
 8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 46.529 ms 45.811 ms
46.104 ms
 9 191.ATM6-0.GW5.SJC2.ALTER.NET (152.63.48.141) 49.735 ms 45.895 ms
46.233 ms
10 ciscosys-gw1.customer.alter.net (65.208.80.242) 46.904 ms 46.294 ms
49.976 ms
11 sjck-dmzbb-gw1.cisco.com (128.107.239.5) 31.419 ms 30.919 ms
31.876 ms
12 sjck-dmzdc-gw2.cisco.com (128.107.224.77) 30.891 ms 32.932 ms
30.741 ms
13 * * *
14 * * *
15 * * *

ICMP based traceroute:

[root@CoachZ root]# traceroute -m 15 -I www.cisco.com traceroute to
www.cisco.com (198.133.219.25), 15 hops max, 38 byte packets
 1 204.12.34.254 (204.12.34.254) 1.943 ms 2.028 ms 2.011 ms
 2 foo.hostrack.net (204.10.14.254) 5.692 ms 3.320 ms 2.778 ms
 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 19.102 ms
19.189 ms 19.713 ms
 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 20.192 ms
20.431 ms 20.245 ms
 5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 20.796 ms 19.319 ms
19.872 ms
 6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 26.668 ms 25.548 ms
26.387 ms
 7 0.so-1-1-0.XL1.SJC2.ALTER.NET (152.63.50.153) 46.854 ms 44.527 ms
44.610 ms
 8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 45.276 ms 44.154 ms 44.490
ms
 9 191.ATM6-0.GW5.SJC2.ALTER.NET (152.63.48.141) 45.025 ms 44.965 ms
44.227 ms
10 ciscosys-gw1.customer.alter.net (65.208.80.242) 46.926 ms 44.886 ms
45.231 ms
11 sjck-dmzbb-gw1.cisco.com (128.107.239.5) 29.794 ms 30.810 ms
29.988 ms
12 * * *
13 * * *
14 * * *
15 * * *

TCP based traceroute:

[root@CoachZ root]# tcptraceroute www.cisco.com
tcptraceroute: Symbol `pcap_version' has different size in shared object,
consider re-linking Selected device eth3, address 172.16.2.93, port 34709
for outgoing packets Tracing the path to www.cisco.com (198.133.219.25) on
TCP port 80, 30 hops max
 1 204.12.34.254 (204.12.34.254) 1.471 ms 1.501 ms 1.465 ms
 2 foo.hostrack.net (204.10.14.254) 4.594 ms 5.405 ms 5.720 ms
 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 21.758 ms
22.803 ms 22.601 ms
 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 24.231 ms
21.688 ms 20.854 ms
 5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 23.359 ms 43.826 ms
20.976 ms
 6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.600 ms 28.212 ms
27.809 ms
 7 0.so-1-1-0.XL1.SJC2.ALTER.NET (152.63.50.153) 46.095 ms 46.111 ms
48.088 ms
 8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 45.839 ms 45.777 ms
45.855 ms
 9 191.ATM6-0.GW5.SJC2.ALTER.NET (152.63.48.141) 45.556 ms 50.033 ms
46.527 ms
10 ciscosys-gw1.customer.alter.net (65.208.80.242) 46.210 ms 47.630 ms
47.831 ms
11 sjck-dmzbb-gw1.cisco.com (128.107.239.5) 31.083 ms 31.308 ms
30.959 ms
12 sjck-dmzdc-gw2.cisco.com (128.107.224.77) 30.693 ms 31.420 ms
30.834 ms
13 www.cisco.com (198.133.219.25) [open] 30.517 ms 31.361 ms 34.572 ms
[root@CoachZ root]#

HTH,
 
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Lab
Rat #109385382
Sent: Sunday, November 12, 2006 1:10 PM
To: cisco@groupstudy.com; ccie >> Cisco certification;
security@groupstudy.com
Subject: ICMP/Traceroute Question

What's the difference between ICMP unreachable versus ICMP port-unreachable?

And what are the icmp-types for Traceroute? I have seen "echo-reply",
"time-exceeded", "unreachable", "port-unreachable" and any combination of
the four listed in various solutions. If I'm asked a question to allow
Traceroute back in an ACL, which ones do I have to consider?

Thanks,

Ed

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART