RE: Security Question (Traceroute)

From: Mike Haddad (mike.haddad@hotmail.com)
Date: Sun Mar 16 2008 - 19:37:13 ART

• Next message: cisco-addicted: "EIGRP adjacency Flapping"
• Previous message: steveaggie@gmail.com: "IE: Auto-RP default static RP"
• Maybe in reply to: Mike Haddad: "Security Question (Traceroute)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You're right Joseph, typo. > Date: Sun, 16 Mar 2008 15:17:36 +0400> From:
joseph.samir.saad@gmail.com> To: ccielab@groupstudy.com> Subject: Re: Security
Question (Traceroute)> > Mike,> it should be "port-unreachable" rather than
"host-unreachable". If you are> using Cisco standard UDP-based trace route.> >
Joseph> > On Sun, Mar 16, 2008 at 12:39 PM, Mike Haddad
<mike.haddad@hotmail.com>> wrote:> > > Thanks Ahsan for the feedback however I
have the below question:> > To allow traceroute from networks behind my router
I allow the below> > outbound> > icmp time-exceed> > icmp host-unreachable> >>
> To allow trace-route to transit my router OR to my router I have to allow> >
the> > below inbound> > icmp time-exceed> > icmp host-unreachable> >> > is
that right?> >> > Thanks,> >> >> >> > Date: Sun, 16 Mar 2008 01:15:56
-0700From:> > ahsan.mohiuddin@yahoo.comSubject:> > Re: Security Question
(Traceroute)To: mike.haddad@hotmail.com;> > ccielab@groupstudy.com> > Mike,>
>> > there is no need to allow UDP inbound. If the UDP port numbers you> >
mentioned> > are allowed outbound, cisco traceroute will invoke 1) icmp
time-exceeded> > response from transit router(s) and, 2) an icmp
port-unreachable response> > from> > destination.> >> > So, even for Cisco's
UDP-based implementation of traceroute, you just need> > to> > ensure that
these two icmp type codes are allowed inbound i.e. time-exceed> > and> >
port-unreachable.> >> > HTH,> > Ahsan Mike Haddad <mike.haddad@hotmail.com>
wrote:> > Hello,I know that traceroute varies depening on the platform used.
Some> > platformuse ICMP and some others use UDP as in cisco routers. THe
issue is> > if> > I wasrequested to allow traceroute inbound what should I
choose UDP or> > ICMP?ICMP ACL:permit icmp any any time-exceededpermit icmp
any any> > port-unreachableThe above will allow traceroute Inbound and
outboundUDP> > AC:Permit udp any any range 33434 33464The above will allow
traceroute> > Inbound> > and outbound using UDPI appreciate your clarification
and please correct> > me if> > I am> >> >
incorrect,Regards,___________________________________________________________>
> ______Your chance to win great prizes with Windows Live Mail and Rogers> >
MobileMail.Click here to learn> > how> >
.http://g.msn.ca/ca55/207_________________________________________________> >
______________________Subscription information may be found at:> >
http://www.groupstudy.com/list/CCIELab.html> >> >> > Looking for last minute
shopping deals? Find them fast with Yahoo! Search.> >

• Next message: cisco-addicted: "EIGRP adjacency Flapping"
• Previous message: steveaggie@gmail.com: "IE: Auto-RP default static RP"
• Maybe in reply to: Mike Haddad: "Security Question (Traceroute)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:53 ART