From: Ahsan Mohiuddin (ahsan.mohiuddin@yahoo.com)
Date: Sun Mar 16 2008 - 11:26:33 ART
For traceroute from *behind* your router, just allow
UDP ports outbound (the range u mentioned previously)
AND
ICMP "port-unreach" & "time-exceed" inbound
.. thats it!
Mike Haddad <mike.haddad@hotmail.com> wrote:
.hmmessage P { margin:0px; padding:0px } body.hmmessage { FONT-SIZE: 10pt; FONT-FAMILY:Tahoma } Thanks Ahsan for the feedback however I have the below question:
To allow traceroute from networks behind my router I allow the below outbound
icmp time-exceed
icmp host-unreachable
To allow trace-route to transit my router OR to my router I have to allow the below inbound
icmp time-exceed
icmp host-unreachable
is that right?
Thanks,
---------------------------------
Date: Sun, 16 Mar 2008 01:15:56 -0700
From: ahsan.mohiuddin@yahoo.com
Subject: Re: Security Question (Traceroute)
To: mike.haddad@hotmail.com; ccielab@groupstudy.com
Mike,
there is no need to allow UDP inbound. If the UDP port numbers you mentioned are allowed outbound, cisco traceroute will invoke 1) icmp time-exceeded response from transit router(s) and, 2) an icmp port-unreachable response from destination.
So, even for Cisco's UDP-based implementation of traceroute, you just need to ensure that these two icmp type codes are allowed inbound i.e. time-exceed and port-unreachable.
HTH,
Ahsan
Mike Haddad <mike.haddad@hotmail.com> wrote:
Hello,
I know that traceroute varies depening on the platform used. Some platform
use ICMP and some others use UDP as in cisco routers. THe issue is if I was
requested to allow traceroute inbound what should I choose UDP or ICMP?
ICMP ACL:
permit icmp any any time-exceeded
permit icmp any any port-unreachable
The above will allow traceroute Inbound and outbound
UDP AC:
Permit udp any any range 33434 33464
The above will allow traceroute Inbound and outbound using UDP
I appreciate your clarification and please correct me if I am incorrect,
Regards,
This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:53 ART