Re: Security Question (Traceroute)

From: Joseph Saad (joseph.samir.saad@gmail.com)
Date: Sun Mar 16 2008 - 08:17:36 ART

• Next message: Joseph Saad: "Re: NBAR Classification Question"
• Previous message: Thomas Perrier: "Re: How to Become a CCIE v2"
• Maybe in reply to: Mike Haddad: "Security Question (Traceroute)"
• Next in thread: Ahsan Mohiuddin: "RE: Security Question (Traceroute)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Mike,
it should be "port-unreachable" rather than "host-unreachable". If you are
using Cisco standard UDP-based trace route.

Joseph

On Sun, Mar 16, 2008 at 12:39 PM, Mike Haddad <mike.haddad@hotmail.com>
wrote:

> Thanks Ahsan for the feedback however I have the below question:
> To allow traceroute from networks behind my router I allow the below
> outbound
> icmp time-exceed
> icmp host-unreachable
>
> To allow trace-route to transit my router OR to my router I have to allow
> the
> below inbound
> icmp time-exceed
> icmp host-unreachable
>
> is that right?
>
> Thanks,
>
>
>
> Date: Sun, 16 Mar 2008 01:15:56 -0700From:
> ahsan.mohiuddin@yahoo.comSubject:
> Re: Security Question (Traceroute)To: mike.haddad@hotmail.com;
> ccielab@groupstudy.com
> Mike,
>
> there is no need to allow UDP inbound. If the UDP port numbers you
> mentioned
> are allowed outbound, cisco traceroute will invoke 1) icmp time-exceeded
> response from transit router(s) and, 2) an icmp port-unreachable response
> from
> destination.
>
> So, even for Cisco's UDP-based implementation of traceroute, you just need
> to
> ensure that these two icmp type codes are allowed inbound i.e. time-exceed
> and
> port-unreachable.
>
> HTH,
> Ahsan Mike Haddad <mike.haddad@hotmail.com> wrote:
> Hello,I know that traceroute varies depening on the platform used. Some
> platformuse ICMP and some others use UDP as in cisco routers. THe issue is
> if
> I wasrequested to allow traceroute inbound what should I choose UDP or
> ICMP?ICMP ACL:permit icmp any any time-exceededpermit icmp any any
> port-unreachableThe above will allow traceroute Inbound and outboundUDP
> AC:Permit udp any any range 33434 33464The above will allow traceroute
> Inbound
> and outbound using UDPI appreciate your clarification and please correct
> me if
> I am
>
> incorrect,Regards,___________________________________________________________
> ______Your chance to win great prizes with Windows Live Mail and Rogers
> MobileMail.Click here to learn
> how
> .http://g.msn.ca/ca55/207_________________________________________________
> ______________________Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Looking for last minute shopping deals? Find them fast with Yahoo! Search.
> _________________________________________________________________
> Like solving puzzles? Then you'll love Flexicon! Play now!
> http://g.msn.ca/ca55/213
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Joseph Saad: "Re: NBAR Classification Question"
• Previous message: Thomas Perrier: "Re: How to Become a CCIE v2"
• Maybe in reply to: Mike Haddad: "Security Question (Traceroute)"
• Next in thread: Ahsan Mohiuddin: "RE: Security Question (Traceroute)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:53 ART