Re: Traceroute and RACL

From: mahmoud genidy (ccie.mahmoud@gmail.com)
Date: Sat Feb 28 2009 - 18:11:32 ARST

• Next message: Brian Mahaffey: "Re: DHCP Scope options"
• Previous message: Tim: "RE: Cisco IPS/Tipping Point OR ASA for InterVLAN security."
• Maybe in reply to: mahmoud genidy: "Traceroute and RACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I found out that MICROSOFT implementation for the TRACEROUTE uses ICMP to
send the traffic. So I guess in such cases this command will be effective to
allow the traceroute inside outbound [ "access-list 100 permit icmp any any
traceroute"]

Mahmoud.

On Sat, Feb 28, 2009 at 10:08 PM, Edouard Zorrilla <ezorrilla@tsf.com.pe>wrote:

> Right,
>
> Cisco routers work with UDP and returns ICMP port-unreacheable and
> time-exceeded. So first UDP and the return packet is ICMP. Regarfing the
> RACL, just make sure you allow come back ICMP port-unreacheable and
> time-exceeded inside inbound ACL and of course allow UDP inside outbound
> ACL.
>
> Rack1R6#sh run int Virtual-Access1
> Building configuration...
>
> Current configuration : 126 bytes
> !
> interface Virtual-Access1
> ip address 54.1.7.6 255.255.255.0
> ip access-group inbound in
> ip access-group outbound out
> end
>
> Rack1R6#
>
> Rack1R6#sh ip access-lists inbound
> Extended IP access list inbound
> 10 permit tcp any any eq bgp (46481 matches)
> 20 permit tcp any eq bgp any
> 21 permit icmp any any port-unreachable (19 matches)
> 22 permit icmp any any time-exceeded
> 30 evaluate ME
> 40 permit icmp any any echo-reply
> 50 deny ip any any log (229160 matches)
> Rack1R6#
> Rack1R6#sh ip access-lists outbound
> Extended IP access list outbound
> 10 permit tcp any any reflect ME
> 20 permit udp any any reflect ME (273 matches)
> 30 permit icmp any any
> 40 deny ip any any log
> Rack1R6#
>
> Rack1R6#sh ip cef exact-route 183.1.123.2 54.1.7.254
> 183.1.123.2 -> 54.1.7.254 : Virtual-Access1 (attached)
> Rack1R6#
>
> So let's go to Rack1R2 (183.1.123.2):
>
> Rack1R2#traceroute 54.1.7.254
>
> Type escape sequence to abort.
> Tracing the route to 54.1.7.254
>
> 1 183.1.123.3 20 msec 8 msec 0 msec
> 2 183.1.0.5 4 msec 4 msec 0 msec
> 3 183.1.0.4 4 msec 4 msec 4 msec
> 4 183.1.46.6 4 msec 4 msec 4 msec
> 5
> *Feb 28 11:51:46.523: ICMP: time exceeded rcvd from 183.1.123.3
> *Feb 28 11:51:46.531: ICMP: time exceeded rcvd from 183.1.123.3
> *Feb 28 11:51:46.531: ICMP: time exceeded rcvd from 183.1.123.3
> *Feb 28 11:51:46.535: ICMP: time exceeded rcvd from 183.1.0.5
> *Feb 28 11:51:46.539: ICMP: time exceeded rcvd from 183.1.0.5
> *Feb 28 11:51:46.539: ICMP: time exceeded rcvd from 183.1.0.5
> *Feb 28 11:51:46.543: ICMP: time exceeded rcvd from 183.1.0.4
> *Feb 28 11:51:46.547: ICMP: time exceeded rcvd from 183.1.0.4
> *Feb 28 11:51:46.551: ICMP: time exceeded rcvd from 183.1.0.4
> *Feb 28 11:51:46.555: ICMP: time exceeded rcvd from 183.1.46.6
> *Feb 28 11:51:46.559: ICMP: time exceeded rcvd from 183.1.46.6
> *Feb 28 11:51:46.563: ICMP: time exceeded rcvd from 183.1.46.6 * * *
> 6 * * *
> 7 54.1.7.254 4 msec
> *Feb 28 11:52:04.567: ICMP: dst (183.1.123.2) port unreachable rcv from
> 54.1.7.254 * 4 msec
> Rack1R2#
>
> Rack1R6#sh ip access-lists ME
> Reflexive IP access list ME
> permit udp host 54.1.7.254 eq 33448 host 183.1.123.2 eq 41606 (1 match)
> (time left 296)
> permit udp host 54.1.7.254 eq 33447 host 183.1.123.2 eq 33667 (1 match)
> (time left 296)
> permit udp host 54.1.7.254 eq 33446 host 183.1.123.2 eq 33777 (1 match)
> (time left 293)
> Rack1R6#
>
> Now, regarding the "access-list 100 permit icmp any any traceroute", I
> wonder the same before but after make some digging I realize that this is
> just a kind of historical command, defined in RFC 1393. No more than this,
> haven't see any application in the real life.
>
> Do any one ?
>
> Regards
>
>
> ----- Original Message ----- From: "mahmoud genidy" <
> ccie.mahmoud@gmail.com>
> To: "Cisco certification" <ccielab@groupstudy.com>
> Sent: Friday, February 27, 2009 7:11 PM
> Subject: Traceroute and RACL
>
>
> Hi GS,
>>
>> Regarding the TRACEROUTE traffic and how it is related to Reflexive ACL.
>>
>> According to Cisco implementation the TRACEROUTE traffic goes out as UDP
>> and
>> return as ICMP (Port unreachable and Time-Exceeded). Am I correct?!
>>
>> BUT I found this command in the DOC CD:
>>
>> { Router(config)# *access-list 100 permit icmp any any traceroute* }
>>
>> Then I found that TRACEROUTE is ICMP type 30. Now I'm confused how to
>> match
>> it in the OUT and IN direction if I will use RACL!
>>
>> Any hints?
>>
>> Thanks
>> Mahmoud.
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Brian Mahaffey: "Re: DHCP Scope options"
• Previous message: Tim: "RE: Cisco IPS/Tipping Point OR ASA for InterVLAN security."
• Maybe in reply to: mahmoud genidy: "Traceroute and RACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:13 ARST