RE: Access list question

From: David Clark (dclark@ccbootcamp.com)
Date: Fri Oct 17 2008 - 18:32:01 ART

• Next message: Victor Cappuccio: "Re: Access list question"
• Previous message: David Prall: "RE: Access list question"
• Maybe in reply to: ccie820@gmail.com: "Access list question"
• Next in thread: Victor Cappuccio: "Re: Access list question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Victor,

Try,

access-list 110 deny icmp any any ttl-exceeded log
access-list 110 deny icmp any any port-unreachable log
access-list 110 permit icmp any any echo log
access-list 110 permit icmp any any echo-reply log

________________________________

From: nobody@groupstudy.com on behalf of Victor Cappuccio
Sent: Fri 10/17/2008 2:00 PM
To: David Prall
Cc: ccie820@gmail.com; ccielab@groupstudy.com
Subject: Re: Access list question

Hi David,

I am able to still execute a traceroute to the destination with that
access-list

R3 -- R1 -- R2

R3#traceroute
Protocol [ip]:
Target IP address: 2.2.2.2
Source address:
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]: 33465
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 2.2.2.2

  1 10.1.13.1 4 msec 0 msec 4 msec
  2 10.1.12.2 4 msec * 4 msec
R3#

on R1

R1(config-if)#do show ip access-list 100
Extended IP access list 100
    10 deny udp any any range 33434 33464 (3 matches)
    20 permit ip any any (118 matches)
R1(config-if)#

interface FastEthernet0/1
 ip address 10.1.13.1 255.255.255.0
 ip access-group 100 in
 no ip route-cache cef
 no ip route-cache
 ip ospf network point-to-point
 ip ospf hello-interval 1
 duplex auto
 speed auto
 ipv6 address 2001:13::1/64
 ipv6 ospf network point-to-point
 ipv6 ospf hello-interval 1
 ipv6 ospf 1 area 0
end

I think that a possible solution for this is

R1(config)#access-list 102 deny icmp any 2.2.2.2 0.0.0.0 ttl-exceeded
R1(config)#access-list 102 permit ip any any
R1(config)#int f0/1
R1(config-if)#ip access-gr 102 out
R1(config-if)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
    UDP src=49215, dst=33434
ICMP: dst (2.2.2.2) administratively prohibited unreachable sent to
10.1.13.3
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
    UDP src=49216, dst=33435
R1(config-if)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
    UDP src=49217, dst=33436
ICMP: dst (2.2.2.2) administratively prohibited unreachable sent to
10.1.13.3
R1(config-if)#int f0/1
R1(config-if)#no ip unre
R1(config-if)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
    UDP src=49223, dst=33434
R1(config-if)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
    UDP src=49224, dst=33435
R1(config-if)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
    UDP src=49225, dst=33436
R1(config-if)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
    UDP src=49226, dst=33437
R1(config-if)#

R3#traceroute 2.2.2.2

Type escape sequence to abort.
Tracing the route to 2.2.2.2

  1 * * *
  2
R3#ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3#

On Fri, Oct 17, 2008 at 10:26 PM, David Prall <dcp@dcptech.com> wrote:

> What kind of traceroute, different implementations work in differnet ways.
> Typical unix/cisco traceroute sends a packet to the destination using
> udp/33434 and then increments them by one for each hop. So you could block
> everything destined to these ports.
>
> Access-list 100 deny udp any any range 33434-33464
> Access-list 100 permit ip any any
>
> --
> http://dcp.dcptech.com <http://dcp.dcptech.com/>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > ccie820@gmail.com
> > Sent: Friday, October 17, 2008 3:55 PM
> > To: ccielab@groupstudy.com
> > Subject: Access list question
> >
> > *All,
> >
> > Is there way to block traceroutes and allow pings ?
> > Your help will be very much appreciated.
> >
> > GG
> > *
> >
> >
> > Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

--
Victor Cappuccio
CCIE R/S# 20657
CCSI# 30452
www.anetworkerblog.com
Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>

• Next message: Victor Cappuccio: "Re: Access list question"
• Previous message: David Prall: "RE: Access list question"
• Maybe in reply to: ccie820@gmail.com: "Access list question"
• Next in thread: Victor Cappuccio: "Re: Access list question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:21 ARST