From: Victor Cappuccio (vcappuccio@gmail.com)
Date: Fri Oct 17 2008 - 18:56:00 ART
David,
since the trace route application can see the TTL Exceeded it can not
increment the TTL Value.
Traceroute actually uses the TTL exceeded message to track the path through
the network from source to destination. Traceroute sets the TTL on it's
first set of packets to 1 and waits for the TTL exceeded response, which
returns with the sender's IP Address (this is how both round trip time to
that device, and its ip address are aquired).
R3(config)#access-list 101 permit ip any host 2.2.2.2
R3(config)#^Z
R3#
R3#deb ip pac de 101
IP packet debugging is on (detailed) for access list 101
R3#traceroute
Protocol [ip]:
Target IP address: 2.2.2.2
Source address:
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 2.2.2.2
R3#traceroute 2.2.2.2
Type escape sequence to abort.
Tracing the route to 2.2.2.2
1
IP: tableid=0, s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), routed via
FIB
IP: s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), len 28, sending
UDP src=49262, dst=33434 *
IP: tableid=0, s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), routed via
FIB
IP: s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), len 28, sending
UDP src=49263, dst=33435 *
IP: tableid=0, s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), routed via
FIB
IP: s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), len 28, sending
UDP src=49264, dst=33436 *
2
IP: tableid=0, s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), routed via
FIB
IP: s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), len 28, sending
UDP src=49265, dst=33437 *
CCIE_6#2
[Resuming connection 2 to 1.1.1.1 ... ]
R2(config)#
IP packet debugging is on (detailed)
R2(config)#
IP: s=10.1.12.1 (FastEthernet0/0), d=224.0.0.5, len 80, rcvd 0, proto=89
IP: s=10.1.12.2 (local), d=224.0.0.5 (FastEthernet0/0), len 80, sending
broad/multicast, proto=89
R2(config)#
IP: s=10.1.12.1 (FastEthernet0/0), d=224.0.0.5, len 80, rcvd 0, proto=89
IP: s=10.1.12.2 (local), d=224.0.0.5 (FastEthernet0/0), len 80, sending
broad/multicast, proto=89
R2(config)#
while R1 always showed the following
R1(config)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
UDP src=49280, dst=33452
R1(config)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
UDP src=49281, dst=33453
R1(config)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
UDP src=49282, dst=33454
R1(config)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
UDP src=49283, dst=33455
R1(config)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
UDP src=49284, dst=33456
R1(config)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
UDP src=49285, dst=33457
R1(config)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
UDP src=49286, dst=33458
R1(config)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
UDP src=49287, dst=33459
R1(config)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
UDP src=49288, dst=33460
R1(config)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
UDP src=49289, dst=33461
R1(config)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
UDP src=49290, dst=33462
R1(config)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
UDP src=49291, dst=33463
R1(config)#
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
UDP src=49292, dst=33464
R1(config)#
IP: tableid=0, s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2 (FastEthernet0/0),
routed via FIB
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2 (FastEthernet0/0), g=10.1.12.2,
len 28, forward
UDP src=49293, dst=33465
IP: tableid=0, s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2 (FastEthernet0/0),
routed via FIB
IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2 (FastEthernet0/0), g=10.1.12.2,
len 28, forward
UDP src=49294, dst=33466
R1(config)#!
with this acl configured
access-list 102 deny icmp any host 2.2.2.2 ttl-exceeded
access-list 102 deny icmp any host 2.2.2.2 port-unreachable
access-list 102 permit ip any any
yes we can use the log at the end to get information, but better yet since
this is a broadcast interface to use the log-input
it is good to be safe from non regular users also :)
thanks,
On Fri, Oct 17, 2008 at 11:32 PM, David Prall <dcp@dcptech.com> wrote:
> Yes by changing the port you bypass the acl. Is the average user going to
> change the port? Using the ttl-exceeded message will still allow the
> traffic
> to exit your network, you just won't accept it in return. What does that do
> when your doing things other then traceroute.
>
> David
>
> --
> http://dcp.dcptech.com
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Victor Cappuccio
> > Sent: Friday, October 17, 2008 5:00 PM
> > To: David Prall
> > Cc: ccie820@gmail.com; ccielab@groupstudy.com
> > Subject: Re: Access list question
> >
> > Hi David,
> >
> > I am able to still execute a traceroute to the destination with that
> > access-list
> >
> > R3 -- R1 -- R2
> >
> >
> > R3#traceroute
> > Protocol [ip]:
> > Target IP address: 2.2.2.2
> > Source address:
> > Numeric display [n]:
> > Timeout in seconds [3]:
> > Probe count [3]:
> > Minimum Time to Live [1]:
> > Maximum Time to Live [30]:
> > Port Number [33434]: 33465
> > Loose, Strict, Record, Timestamp, Verbose[none]:
> > Type escape sequence to abort.
> > Tracing the route to 2.2.2.2
> >
> > 1 10.1.13.1 4 msec 0 msec 4 msec
> > 2 10.1.12.2 4 msec * 4 msec
> > R3#
> >
> > on R1
> >
> > R1(config-if)#do show ip access-list 100
> > Extended IP access list 100
> > 10 deny udp any any range 33434 33464 (3 matches)
> > 20 permit ip any any (118 matches)
> > R1(config-if)#
> >
> > interface FastEthernet0/1
> > ip address 10.1.13.1 255.255.255.0
> > ip access-group 100 in
> > no ip route-cache cef
> > no ip route-cache
> > ip ospf network point-to-point
> > ip ospf hello-interval 1
> > duplex auto
> > speed auto
> > ipv6 address 2001:13::1/64
> > ipv6 ospf network point-to-point
> > ipv6 ospf hello-interval 1
> > ipv6 ospf 1 area 0
> > end
> >
> > I think that a possible solution for this is
> >
> > R1(config)#access-list 102 deny icmp any 2.2.2.2 0.0.0.0 ttl-exceeded
> > R1(config)#access-list 102 permit ip any any
> > R1(config)#int f0/1
> > R1(config-if)#ip access-gr 102 out
> > R1(config-if)#
> > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
> > UDP src=49215, dst=33434
> > ICMP: dst (2.2.2.2) administratively prohibited unreachable sent to
> > 10.1.13.3
> > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
> > UDP src=49216, dst=33435
> > R1(config-if)#
> > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
> > UDP src=49217, dst=33436
> > ICMP: dst (2.2.2.2) administratively prohibited unreachable sent to
> > 10.1.13.3
> > R1(config-if)#int f0/1
> > R1(config-if)#no ip unre
> > R1(config-if)#
> > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
> > UDP src=49223, dst=33434
> > R1(config-if)#
> > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
> > UDP src=49224, dst=33435
> > R1(config-if)#
> > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
> > UDP src=49225, dst=33436
> > R1(config-if)#
> > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied
> > UDP src=49226, dst=33437
> > R1(config-if)#
> >
> >
> > R3#traceroute 2.2.2.2
> >
> > Type escape sequence to abort.
> > Tracing the route to 2.2.2.2
> >
> > 1 * * *
> > 2
> > R3#ping 2.2.2.2
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
> > R3#
> >
> > On Fri, Oct 17, 2008 at 10:26 PM, David Prall <dcp@dcptech.com> wrote:
> >
> > > What kind of traceroute, different implementations work in differnet
> > ways.
> > > Typical unix/cisco traceroute sends a packet to the destination using
> > > udp/33434 and then increments them by one for each hop. So you could
> > block
> > > everything destined to these ports.
> > >
> > > Access-list 100 deny udp any any range 33434-33464
> > > Access-list 100 permit ip any any
> > >
> > > --
> > > http://dcp.dcptech.com
> > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf Of
> > > > ccie820@gmail.com
> > > > Sent: Friday, October 17, 2008 3:55 PM
> > > > To: ccielab@groupstudy.com
> > > > Subject: Access list question
> > > >
> > > > *All,
> > > >
> > > > Is there way to block traceroutes and allow pings ?
> > > > Your help will be very much appreciated.
> > > >
> > > > GG
> > > > *
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
> > _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> > --
> > Victor Cappuccio
> > CCIE R/S# 20657
> > CCSI# 30452
> > www.anetworkerblog.com
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
>
>
>
-- Victor Cappuccio CCIE R/S# 20657 CCSI# 30452 www.anetworkerblog.comBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:21 ARST