RE: Access list question

From: David Prall (dcp@dcptech.com)
Date: Fri Oct 17 2008 - 18:32:06 ART

• Next message: David Clark: "RE: Access list question"
• Previous message: Victor Cappuccio: "Re: Access list question"
• Maybe in reply to: ccie820@gmail.com: "Access list question"
• Next in thread: David Clark: "RE: Access list question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yes by changing the port you bypass the acl. Is the average user going to
change the port? Using the ttl-exceeded message will still allow the traffic
to exit your network, you just won't accept it in return. What does that do
when your doing things other then traceroute.

David

--
http://dcp.dcptech.com
 
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Victor Cappuccio
> Sent: Friday, October 17, 2008 5:00 PM
> To: David Prall
> Cc: ccie820@gmail.com; ccielab@groupstudy.com
> Subject: Re: Access list question
> 
> Hi David,
> 
> I am able to still execute a traceroute to the destination with that
> access-list
> 
> R3 -- R1 -- R2
> 
> 
> R3#traceroute
> Protocol [ip]:
> Target IP address: 2.2.2.2
> Source address:
> Numeric display [n]:
> Timeout in seconds [3]:
> Probe count [3]:
> Minimum Time to Live [1]:
> Maximum Time to Live [30]:
> Port Number [33434]: 33465
> Loose, Strict, Record, Timestamp, Verbose[none]:
> Type escape sequence to abort.
> Tracing the route to 2.2.2.2
> 
>   1 10.1.13.1 4 msec 0 msec 4 msec
>   2 10.1.12.2 4 msec *  4 msec
> R3#
> 
> on R1
> 
> R1(config-if)#do show ip access-list 100
> Extended IP access list 100
>     10 deny udp any any range 33434 33464 (3 matches)
>     20 permit ip any any (118 matches)
> R1(config-if)#
> 
> interface FastEthernet0/1
>  ip address 10.1.13.1 255.255.255.0
>  ip access-group 100 in
>  no ip route-cache cef
>  no ip route-cache
>  ip ospf network point-to-point
>  ip ospf hello-interval 1
>  duplex auto
>  speed auto
>  ipv6 address 2001:13::1/64
>  ipv6 ospf network point-to-point
>  ipv6 ospf hello-interval 1
>  ipv6 ospf 1 area 0
> end
> 
> I think that a possible solution for this is
> 
> R1(config)#access-list 102 deny icmp any 2.2.2.2 0.0.0.0 ttl-exceeded
> R1(config)#access-list 102 permit ip any any
> R1(config)#int f0/1
> R1(config-if)#ip access-gr 102 out
> R1(config-if)#
> IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
>     UDP src=49215, dst=33434
> ICMP: dst (2.2.2.2) administratively prohibited unreachable sent to
> 10.1.13.3
> IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
>     UDP src=49216, dst=33435
> R1(config-if)#
> IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
>     UDP src=49217, dst=33436
> ICMP: dst (2.2.2.2) administratively prohibited unreachable sent to
> 10.1.13.3
> R1(config-if)#int f0/1
> R1(config-if)#no ip unre
> R1(config-if)#
> IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
>     UDP src=49223, dst=33434
> R1(config-if)#
> IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
>     UDP src=49224, dst=33435
> R1(config-if)#
> IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
>     UDP src=49225, dst=33436
> R1(config-if)#
> IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
>     UDP src=49226, dst=33437
> R1(config-if)#
> 
> 
> R3#traceroute 2.2.2.2
> 
> Type escape sequence to abort.
> Tracing the route to 2.2.2.2
> 
>   1  *  *  *
>   2
> R3#ping 2.2.2.2
> 
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
> R3#
> 
> On Fri, Oct 17, 2008 at 10:26 PM, David Prall <dcp@dcptech.com> wrote:
> 
> > What kind of traceroute, different implementations work in differnet
> ways.
> > Typical unix/cisco traceroute sends a packet to the destination using
> > udp/33434 and then increments them by one for each hop. So you could
> block
> > everything destined to these ports.
> >
> > Access-list 100 deny udp any any range 33434-33464
> > Access-list 100 permit ip any any
> >
> > --
> > http://dcp.dcptech.com
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of
> > > ccie820@gmail.com
> > > Sent: Friday, October 17, 2008 3:55 PM
> > > To: ccielab@groupstudy.com
> > > Subject: Access list question
> > >
> > > *All,
> > >
> > > Is there way to block traceroutes and allow pings ?
> > > Your help will be very much appreciated.
> > >
> > > GG
> > > *
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
> 
> 
> --
> Victor Cappuccio
> CCIE R/S# 20657
> CCSI# 30452
> www.anetworkerblog.com
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

• Next message: David Clark: "RE: Access list question"
• Previous message: Victor Cappuccio: "Re: Access list question"
• Maybe in reply to: ccie820@gmail.com: "Access list question"
• Next in thread: David Clark: "RE: Access list question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:21 ARST