From: Victor Cappuccio (vcappuccio@gmail.com)
Date: Fri Oct 17 2008 - 18:40:52 ART
upss i forgot R1(config-ext-nacl)#15 deny icmp any host 2.2.2.2port-unreachable
David, BTW your access-lsit 110 would permit the icmp 0 0 traffic, but it
would deny all the rest of the traffic, watch out there, you can loose
points on that one ;)
On Fri, Oct 17, 2008 at 11:32 PM, David Clark <dclark@ccbootcamp.com> wrote:
> Hi Victor,
>
> Try,
>
> access-list 110 deny icmp any any ttl-exceeded log
> access-list 110 deny icmp any any port-unreachable log
> access-list 110 permit icmp any any echo log
> access-list 110 permit icmp any any echo-reply log
>
>
> ________________________________
>
> From: nobody@groupstudy.com on behalf of Victor Cappuccio
> Sent: Fri 10/17/2008 2:00 PM
> To: David Prall
> Cc: ccie820@gmail.com; ccielab@groupstudy.com
> Subject: Re: Access list question
>
>
>
> Hi David,
>
> I am able to still execute a traceroute to the destination with that
> access-list
>
> R3 -- R1 -- R2
>
>
> R3#traceroute
> Protocol [ip]:
> Target IP address: 2.2.2.2
> Source address:
> Numeric display [n]:
> Timeout in seconds [3]:
> Probe count [3]:
> Minimum Time to Live [1]:
> Maximum Time to Live [30]:
> Port Number [33434]: 33465
> Loose, Strict, Record, Timestamp, Verbose[none]:
> Type escape sequence to abort.
> Tracing the route to 2.2.2.2
>
> 1 10.1.13.1 4 msec 0 msec 4 msec
> 2 10.1.12.2 4 msec * 4 msec
> R3#
>
> on R1
>
> R1(config-if)#do show ip access-list 100
> Extended IP access list 100
> 10 deny udp any any range 33434 33464 (3 matches)
> 20 permit ip any any (118 matches)
> R1(config-if)#
>
> interface FastEthernet0/1
> ip address 10.1.13.1 255.255.255.0
> ip access-group 100 in
> no ip route-cache cef
> no ip route-cache
> ip ospf network point-to-point
> ip ospf hello-interval 1
> duplex auto
> speed auto
> ipv6 address 2001:13::1/64
> ipv6 ospf network point-to-point
> ipv6 ospf hello-interval 1
> ipv6 ospf 1 area 0
> end
>
> I think that a possible solution for this is
>
> R1(config)#access-list 102 deny icmp any 2.2.2.2 0.0.0.0 ttl-exceeded
> R1(config)#access-list 102 permit ip any any
> R1(config)#int f0/1
> R1(config-if)#ip access-gr 102 out
> R1(config-if)#
> IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
> UDP src=49215, dst=33434
> ICMP: dst (2.2.2.2) administratively prohibited unreachable sent to
> 10.1.13.3
> IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
> UDP src=49216, dst=33435
> R1(config-if)#
> IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
> UDP src=49217, dst=33436
> ICMP: dst (2.2.2.2) administratively prohibited unreachable sent to
> 10.1.13.3
> R1(config-if)#int f0/1
> R1(config-if)#no ip unre
> R1(config-if)#
> IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
> UDP src=49223, dst=33434
> R1(config-if)#
> IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
> UDP src=49224, dst=33435
> R1(config-if)#
> IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
> UDP src=49225, dst=33436
> R1(config-if)#
> IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
> UDP src=49226, dst=33437
> R1(config-if)#
>
>
> R3#traceroute 2.2.2.2
>
> Type escape sequence to abort.
> Tracing the route to 2.2.2.2
>
> 1 * * *
> 2
> R3#ping 2.2.2.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
> R3#
>
> On Fri, Oct 17, 2008 at 10:26 PM, David Prall <dcp@dcptech.com> wrote:
>
> > What kind of traceroute, different implementations work in differnet
> ways.
> > Typical unix/cisco traceroute sends a packet to the destination using
> > udp/33434 and then increments them by one for each hop. So you could
> block
> > everything destined to these ports.
> >
> > Access-list 100 deny udp any any range 33434-33464
> > Access-list 100 permit ip any any
> >
> > --
> > http://dcp.dcptech.com <http://dcp.dcptech.com/>
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > > ccie820@gmail.com
> > > Sent: Friday, October 17, 2008 3:55 PM
> > > To: ccielab@groupstudy.com
> > > Subject: Access list question
> > >
> > > *All,
> > >
> > > Is there way to block traceroutes and allow pings ?
> > > Your help will be very much appreciated.
> > >
> > > GG
> > > *
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Victor Cappuccio
> CCIE R/S# 20657
> CCSI# 30452
> www.anetworkerblog.com
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
-- Victor Cappuccio CCIE R/S# 20657 CCSI# 30452 www.anetworkerblog.comBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:21 ARST