RE: ICMP/Traceroute Question

From: Udo (ccie_groupstudy@yahoo.de)
Date: Mon Nov 13 2006 - 04:00:36 ART

• Next message: Udo: "Re: Key rotation on OSPF area authentication"
• Previous message: John Hooper: "Re: Comments on proctors"
• Maybe in reply to: Lab Rat #109385382: "ICMP/Traceroute Question"
• Next in thread: Brian Dennis: "RE: ICMP/Traceroute Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

why not use
'R1(config-ext-nacl)#permit icmp any any traceroute ' ?

Udo

Am Sonntag, den 12.11.2006, 22:18 -0500 schrieb Brian Dennis:
> If it's not needed for the solution then don't permit it.
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
>
> -----Original Message-----
> From: Lab Rat #109385382 [mailto:techlist01@gmail.com]
> Sent: Sunday, November 12, 2006 7:08 PM
> To: Brian Dennis; cisco@groupstudy.com; ccie >> Cisco certification;
> security@groupstudy.com
> Subject: RE: ICMP/Traceroute Question
>
> So, if a lab question asks "permit all traceroute replies back in
> through
> the router's Serial0/0/0 ACL" then that answer would be:
>
> Interface Serial0/0/0
> ip access-list extended INFILT
> permit icmp any any time-exceeded
> permit icmp any any port-unreachable
>
> ...and that's it?
>
> Does it "hurt" you to add "unreachable" and "echo-reply" into there as
> well?
>
> Thanks,
>
> Ed
>
>
> -----Original Message-----
> From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
> Sent: Sunday, November 12, 2006 5:31 PM
> To: Lab Rat #109385382; cisco@groupstudy.com; ccie >> Cisco
> certification;
> security@groupstudy.com
> Subject: RE: ICMP/Traceroute Question
>
> Technically you would need to know the implementation of the traceroute
> application since traceroute can be ICMP, UDP, or even TCP based. In a
> Cisco lab environment we can safely assume that it will be UDP based
> traceroute. This means that UDP packets are sent out by the source.
> ICMP time-exceeded packets are sent back by the intermediate routers in
> the
> path and finally an ICMP port unreachable packet is sent from the
> destination.
>
> UDP based traceroute:
>
> [root@CoachZ root]# traceroute -m 15 www.cisco.com traceroute to
> www.cisco.com (198.133.219.25), 15 hops max, 38 byte packets
> 1 204.12.34.254 (204.12.34.254) 1.943 ms 2.008 ms 1.886 ms
> 2 foo.hostrack.net (204.10.14.254) 4.812 ms 4.326 ms 4.273 ms
> 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 23.205 ms
> 21.072 ms 20.975 ms
> 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 21.675
> ms
> 21.281 ms 21.378 ms
> 5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 21.393 ms 20.683
> ms
> 21.007 ms
> 6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.766 ms 33.290
> ms
> 27.366 ms
> 7 0.so-1-1-0.XL1.SJC2.ALTER.NET (152.63.50.153) 46.132 ms 45.544 ms
> 45.734 ms
> 8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 46.529 ms 45.811 ms
> 46.104 ms
> 9 191.ATM6-0.GW5.SJC2.ALTER.NET (152.63.48.141) 49.735 ms 45.895 ms
> 46.233 ms
> 10 ciscosys-gw1.customer.alter.net (65.208.80.242) 46.904 ms 46.294
> ms
> 49.976 ms
> 11 sjck-dmzbb-gw1.cisco.com (128.107.239.5) 31.419 ms 30.919 ms
> 31.876 ms
> 12 sjck-dmzdc-gw2.cisco.com (128.107.224.77) 30.891 ms 32.932 ms
> 30.741 ms
> 13 * * *
> 14 * * *
> 15 * * *
>
> ICMP based traceroute:
>
> [root@CoachZ root]# traceroute -m 15 -I www.cisco.com traceroute to
> www.cisco.com (198.133.219.25), 15 hops max, 38 byte packets
> 1 204.12.34.254 (204.12.34.254) 1.943 ms 2.028 ms 2.011 ms
> 2 foo.hostrack.net (204.10.14.254) 5.692 ms 3.320 ms 2.778 ms
> 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 19.102 ms
> 19.189 ms 19.713 ms
> 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 20.192
> ms
> 20.431 ms 20.245 ms
> 5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 20.796 ms 19.319
> ms
> 19.872 ms
> 6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 26.668 ms 25.548
> ms
> 26.387 ms
> 7 0.so-1-1-0.XL1.SJC2.ALTER.NET (152.63.50.153) 46.854 ms 44.527 ms
> 44.610 ms
> 8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 45.276 ms 44.154 ms
> 44.490
> ms
> 9 191.ATM6-0.GW5.SJC2.ALTER.NET (152.63.48.141) 45.025 ms 44.965 ms
> 44.227 ms
> 10 ciscosys-gw1.customer.alter.net (65.208.80.242) 46.926 ms 44.886
> ms
> 45.231 ms
> 11 sjck-dmzbb-gw1.cisco.com (128.107.239.5) 29.794 ms 30.810 ms
> 29.988 ms
> 12 * * *
> 13 * * *
> 14 * * *
> 15 * * *
>
> TCP based traceroute:
>
> [root@CoachZ root]# tcptraceroute www.cisco.com
> tcptraceroute: Symbol `pcap_version' has different size in shared
> object,
> consider re-linking Selected device eth3, address 172.16.2.93, port
> 34709
> for outgoing packets Tracing the path to www.cisco.com (198.133.219.25)
> on
> TCP port 80, 30 hops max
> 1 204.12.34.254 (204.12.34.254) 1.471 ms 1.501 ms 1.465 ms
> 2 foo.hostrack.net (204.10.14.254) 4.594 ms 5.405 ms 5.720 ms
> 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 21.758 ms
> 22.803 ms 22.601 ms
> 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 24.231
> ms
> 21.688 ms 20.854 ms
> 5 500.POS4-0.GW1.VEG2.alter.net (157.130.238.193) 23.359 ms 43.826
> ms
> 20.976 ms
> 6 129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26) 27.600 ms 28.212
> ms
> 27.809 ms
> 7 0.so-1-1-0.XL1.SJC2.ALTER.NET (152.63.50.153) 46.095 ms 46.111 ms
> 48.088 ms
> 8 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 45.839 ms 45.777 ms
> 45.855 ms
> 9 191.ATM6-0.GW5.SJC2.ALTER.NET (152.63.48.141) 45.556 ms 50.033 ms
> 46.527 ms
> 10 ciscosys-gw1.customer.alter.net (65.208.80.242) 46.210 ms 47.630
> ms
> 47.831 ms
> 11 sjck-dmzbb-gw1.cisco.com (128.107.239.5) 31.083 ms 31.308 ms
> 30.959 ms
> 12 sjck-dmzdc-gw2.cisco.com (128.107.224.77) 30.693 ms 31.420 ms
> 30.834 ms
> 13 www.cisco.com (198.133.219.25) [open] 30.517 ms 31.361 ms 34.572
> ms
> [root@CoachZ root]#
>
> HTH,
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Lab
> Rat #109385382
> Sent: Sunday, November 12, 2006 1:10 PM
> To: cisco@groupstudy.com; ccie >> Cisco certification;
> security@groupstudy.com
> Subject: ICMP/Traceroute Question
>
> What's the difference between ICMP unreachable versus ICMP
> port-unreachable?
>
> And what are the icmp-types for Traceroute? I have seen "echo-reply",
> "time-exceeded", "unreachable", "port-unreachable" and any combination
> of
> the four listed in various solutions. If I'm asked a question to allow
> Traceroute back in an ACL, which ones do I have to consider?
>
> Thanks,
>
> Ed
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Udo: "Re: Key rotation on OSPF area authentication"
• Previous message: John Hooper: "Re: Comments on proctors"
• Maybe in reply to: Lab Rat #109385382: "ICMP/Traceroute Question"
• Next in thread: Brian Dennis: "RE: ICMP/Traceroute Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART