From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Mon Nov 13 2006 - 00:18:34 ART
If it's not needed for the solution then don't permit it.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: Lab Rat #109385382 [mailto:techlist01@gmail.com]
Sent: Sunday, November 12, 2006 7:08 PM
To: Brian Dennis; cisco@groupstudy.com; ccie >> Cisco certification;
security@groupstudy.com
Subject: RE: ICMP/Traceroute Question
So, if a lab question asks "permit all traceroute replies back in
through
the router's Serial0/0/0 ACL" then that answer would be:
Interface Serial0/0/0
ip access-list extended INFILT
permit icmp any any time-exceeded
permit icmp any any port-unreachable
...and that's it?
Does it "hurt" you to add "unreachable" and "echo-reply" into there as
well?
Thanks,
Ed
-----Original Message-----
From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
Sent: Sunday, November 12, 2006 5:31 PM
To: Lab Rat #109385382; cisco@groupstudy.com; ccie >> Cisco
certification;
security@groupstudy.com
Subject: RE: ICMP/Traceroute Question
Technically you would need to know the implementation of the traceroute
application since traceroute can be ICMP, UDP, or even TCP based. In a
Cisco lab environment we can safely assume that it will be UDP based
traceroute. This means that UDP packets are sent out by the source.
ICMP time-exceeded packets are sent back by the intermediate routers in
the
path and finally an ICMP port unreachable packet is sent from the
destination.
UDP based traceroute:
[root@CoachZ root]# traceroute -m 15 www.cisco.com traceroute to
www.cisco.com (198.133.219.25), 15 hops max, 38 byte packets
1 204.12.34.254 (204.12.34.254) 1.943 ms 2.008 ms 1.886 ms
2 foo.hostrack.net (204.10.14.254) 4.812 ms 4.326 ms 4.273 ms
3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 23.205 ms
21.072 ms 20.975 ms
4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 21.675
ms
21.281 ms 21.378 ms
5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 21.393 ms 20.683
ms
21.007 ms
6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.766 ms 33.290
ms
27.366 ms
7 0.so-1-1-0.XL1.SJC2.ALTER.NET (152.63.50.153) 46.132 ms 45.544 ms
45.734 ms
8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 46.529 ms 45.811 ms
46.104 ms
9 191.ATM6-0.GW5.SJC2.ALTER.NET (152.63.48.141) 49.735 ms 45.895 ms
46.233 ms
10 ciscosys-gw1.customer.alter.net (65.208.80.242) 46.904 ms 46.294
ms
49.976 ms
11 sjck-dmzbb-gw1.cisco.com (128.107.239.5) 31.419 ms 30.919 ms
31.876 ms
12 sjck-dmzdc-gw2.cisco.com (128.107.224.77) 30.891 ms 32.932 ms
30.741 ms
13 * * *
14 * * *
15 * * *
ICMP based traceroute:
[root@CoachZ root]# traceroute -m 15 -I www.cisco.com traceroute to
www.cisco.com (198.133.219.25), 15 hops max, 38 byte packets
1 204.12.34.254 (204.12.34.254) 1.943 ms 2.028 ms 2.011 ms
2 foo.hostrack.net (204.10.14.254) 5.692 ms 3.320 ms 2.778 ms
3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 19.102 ms
19.189 ms 19.713 ms
4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 20.192
ms
20.431 ms 20.245 ms
5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 20.796 ms 19.319
ms
19.872 ms
6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 26.668 ms 25.548
ms
26.387 ms
7 0.so-1-1-0.XL1.SJC2.ALTER.NET (152.63.50.153) 46.854 ms 44.527 ms
44.610 ms
8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 45.276 ms 44.154 ms
44.490
ms
9 191.ATM6-0.GW5.SJC2.ALTER.NET (152.63.48.141) 45.025 ms 44.965 ms
44.227 ms
10 ciscosys-gw1.customer.alter.net (65.208.80.242) 46.926 ms 44.886
ms
45.231 ms
11 sjck-dmzbb-gw1.cisco.com (128.107.239.5) 29.794 ms 30.810 ms
29.988 ms
12 * * *
13 * * *
14 * * *
15 * * *
TCP based traceroute:
[root@CoachZ root]# tcptraceroute www.cisco.com
tcptraceroute: Symbol `pcap_version' has different size in shared
object,
consider re-linking Selected device eth3, address 172.16.2.93, port
34709
for outgoing packets Tracing the path to www.cisco.com (198.133.219.25)
on
TCP port 80, 30 hops max
1 204.12.34.254 (204.12.34.254) 1.471 ms 1.501 ms 1.465 ms
2 foo.hostrack.net (204.10.14.254) 4.594 ms 5.405 ms 5.720 ms
3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 21.758 ms
22.803 ms 22.601 ms
4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 24.231
ms
21.688 ms 20.854 ms
5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 23.359 ms 43.826
ms
20.976 ms
6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.600 ms 28.212
ms
27.809 ms
7 0.so-1-1-0.XL1.SJC2.ALTER.NET (152.63.50.153) 46.095 ms 46.111 ms
48.088 ms
8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 45.839 ms 45.777 ms
45.855 ms
9 191.ATM6-0.GW5.SJC2.ALTER.NET (152.63.48.141) 45.556 ms 50.033 ms
46.527 ms
10 ciscosys-gw1.customer.alter.net (65.208.80.242) 46.210 ms 47.630
ms
47.831 ms
11 sjck-dmzbb-gw1.cisco.com (128.107.239.5) 31.083 ms 31.308 ms
30.959 ms
12 sjck-dmzdc-gw2.cisco.com (128.107.224.77) 30.693 ms 31.420 ms
30.834 ms
13 www.cisco.com (198.133.219.25) [open] 30.517 ms 31.361 ms 34.572
ms
[root@CoachZ root]#
HTH,
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Lab
Rat #109385382
Sent: Sunday, November 12, 2006 1:10 PM
To: cisco@groupstudy.com; ccie >> Cisco certification;
security@groupstudy.com
Subject: ICMP/Traceroute Question
What's the difference between ICMP unreachable versus ICMP
port-unreachable?
And what are the icmp-types for Traceroute? I have seen "echo-reply",
"time-exceeded", "unreachable", "port-unreachable" and any combination
of
the four listed in various solutions. If I'm asked a question to allow
Traceroute back in an ACL, which ones do I have to consider?
Thanks,
Ed
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART