GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: ICMP/Traceroute Question posted 11/13/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Have you ever tried to use that option?  Try it out and it'll answer
your question as to why it's not used for this scenario.

HTH,
 
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security) 
bdennis@xxxxxxxxxxxxxxxxxxxxxx 
 
Internetwork Expert, Inc. 
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada) 

 

-----Original Message-----
From: Udo [mailto:ccie_groupstudy@xxxxxxxx] 
Sent: Sunday, November 12, 2006 11:01 PM
To: Brian Dennis
Cc: techlist01@xxxxxxxxx; cisco@xxxxxxxxxxxxxx; ccie >> Cisco
certification; security@xxxxxxxxxxxxxx
Subject: RE: ICMP/Traceroute Question

Hi,

why not use
'R1(config-ext-nacl)#permit icmp any any traceroute ' ?

Udo

Am Sonntag, den 12.11.2006, 22:18 -0500 schrieb Brian Dennis:
> If it's not needed for the solution then don't permit it. 
>  
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security) 
> bdennis@xxxxxxxxxxxxxxxxxxxxxx 
> 
> Internetwork Expert, Inc. 
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada) 
> 
>  
> 
> -----Original Message-----
> From: Lab Rat #109385382 [mailto:techlist01@xxxxxxxxx] 
> Sent: Sunday, November 12, 2006 7:08 PM
> To: Brian Dennis; cisco@xxxxxxxxxxxxxx; ccie >> Cisco certification;
> security@xxxxxxxxxxxxxx
> Subject: RE: ICMP/Traceroute Question
> 
> So, if a lab question asks "permit all traceroute replies back in
> through
> the router's Serial0/0/0 ACL" then that answer would be:
> 
> Interface Serial0/0/0
> ip access-list extended INFILT
> permit icmp any any time-exceeded
> permit icmp any any port-unreachable
> 
> ...and that's it? 
> 
> Does it "hurt" you to add "unreachable" and "echo-reply" into there as
> well?
> 
> Thanks,
> 
> Ed
> 
> 
> -----Original Message-----
> From: Brian Dennis [mailto:bdennis@xxxxxxxxxxxxxxxxxxxxxx] 
> Sent: Sunday, November 12, 2006 5:31 PM
> To: Lab Rat #109385382; cisco@xxxxxxxxxxxxxx; ccie >> Cisco
> certification;
> security@xxxxxxxxxxxxxx
> Subject: RE: ICMP/Traceroute Question
> 
> Technically you would need to know the implementation of the
traceroute
> application since traceroute can be ICMP, UDP, or even TCP based.  In
a
> Cisco lab environment we can safely assume that it will be UDP based
> traceroute.  This means that UDP packets are sent out by the source.
> ICMP time-exceeded packets are sent back by the intermediate routers
in
> the
> path and finally an ICMP port unreachable packet is sent from the
> destination.
> 
> UDP based traceroute:
> 
> [root@xxxxxx root]# traceroute -m 15 www.cisco.com traceroute to
> www.cisco.com (198.133.219.25), 15 hops max, 38 byte packets
>  1  204.12.34.254 (204.12.34.254)  1.943 ms  2.008 ms  1.886 ms
>  2  foo.hostrack.net (204.10.14.254)  4.812 ms  4.326 ms  4.273 ms
>  3  ser4-0.core01.las.switchcommgroup.com (66.209.64.41)  23.205 ms
> 21.072 ms  20.975 ms
>  4  pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218)
21.675
> ms
> 21.281 ms  21.378 ms
>  5  500.POS4-0.GW1.VEG2.alter.net (157.130.238.193)  21.393 ms  20.683
> ms
> 21.007 ms
>  6  129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26)  27.766 ms  33.290
> ms
> 27.366 ms
>  7  0.so-1-1-0.XL1.SJC2.ALTER.NET (152.63.50.153)  46.132 ms  45.544
ms
> 45.734 ms
>  8  POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138)  46.529 ms  45.811 ms
> 46.104 ms
>  9  191.ATM6-0.GW5.SJC2.ALTER.NET (152.63.48.141)  49.735 ms  45.895
ms
> 46.233 ms
> 10  ciscosys-gw1.customer.alter.net (65.208.80.242)  46.904 ms  46.294
> ms
> 49.976 ms
> 11  sjck-dmzbb-gw1.cisco.com (128.107.239.5)  31.419 ms  30.919 ms
> 31.876 ms
> 12  sjck-dmzdc-gw2.cisco.com (128.107.224.77)  30.891 ms  32.932 ms
> 30.741 ms
> 13  * * *
> 14  * * *
> 15  * * *
> 
> ICMP based traceroute:
> 
> [root@xxxxxx root]# traceroute -m 15 -I www.cisco.com traceroute to
> www.cisco.com (198.133.219.25), 15 hops max, 38 byte packets
>  1  204.12.34.254 (204.12.34.254)  1.943 ms  2.028 ms  2.011 ms
>  2  foo.hostrack.net (204.10.14.254)  5.692 ms  3.320 ms  2.778 ms
>  3  ser4-0.core01.las.switchcommgroup.com (66.209.64.41)  19.102 ms
> 19.189 ms  19.713 ms
>  4  pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218)
20.192
> ms
> 20.431 ms  20.245 ms
>  5  500.POS4-0.GW1.VEG2.alter.net (157.130.238.193)  20.796 ms  19.319
> ms
> 19.872 ms
>  6  129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26)  26.668 ms  25.548
> ms
> 26.387 ms
>  7  0.so-1-1-0.XL1.SJC2.ALTER.NET (152.63.50.153)  46.854 ms  44.527
ms
> 44.610 ms
>  8  POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138)  45.276 ms  44.154 ms
> 44.490
> ms
>  9  191.ATM6-0.GW5.SJC2.ALTER.NET (152.63.48.141)  45.025 ms  44.965
ms
> 44.227 ms
> 10  ciscosys-gw1.customer.alter.net (65.208.80.242)  46.926 ms  44.886
> ms
> 45.231 ms
> 11  sjck-dmzbb-gw1.cisco.com (128.107.239.5)  29.794 ms  30.810 ms
> 29.988 ms
> 12  * * *
> 13  * * *
> 14  * * *
> 15  * * *
> 
> TCP based traceroute:
> 
> [root@xxxxxx root]# tcptraceroute www.cisco.com      
> tcptraceroute: Symbol `pcap_version' has different size in shared
> object,
> consider re-linking Selected device eth3, address 172.16.2.93, port
> 34709
> for outgoing packets Tracing the path to www.cisco.com
(198.133.219.25)
> on
> TCP port 80, 30 hops max
>  1  204.12.34.254 (204.12.34.254)  1.471 ms  1.501 ms  1.465 ms
>  2  foo.hostrack.net (204.10.14.254)  4.594 ms  5.405 ms  5.720 ms
>  3  ser4-0.core01.las.switchcommgroup.com (66.209.64.41)  21.758 ms
> 22.803 ms  22.601 ms
>  4  pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218)
24.231
> ms
> 21.688 ms  20.854 ms
>  5  500.POS4-0.GW1.VEG2.alter.net (157.130.238.193)  23.359 ms  43.826
> ms
> 20.976 ms
>  6  129.at-0-0-0.CL1.PHX2.ALTER.NET (152.63.115.26)  27.600 ms  28.212
> ms
> 27.809 ms
>  7  0.so-1-1-0.XL1.SJC2.ALTER.NET (152.63.50.153)  46.095 ms  46.111
ms
> 48.088 ms
>  8  POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138)  45.839 ms  45.777 ms
> 45.855 ms
>  9  191.ATM6-0.GW5.SJC2.ALTER.NET (152.63.48.141)  45.556 ms  50.033
ms
> 46.527 ms
> 10  ciscosys-gw1.customer.alter.net (65.208.80.242)  46.210 ms  47.630
> ms
> 47.831 ms
> 11  sjck-dmzbb-gw1.cisco.com (128.107.239.5)  31.083 ms  31.308 ms
> 30.959 ms
> 12  sjck-dmzdc-gw2.cisco.com (128.107.224.77)  30.693 ms  31.420 ms
> 30.834 ms
> 13  www.cisco.com (198.133.219.25) [open]  30.517 ms  31.361 ms
34.572
> ms
> [root@xxxxxx root]#
> 
> HTH,
>  
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@xxxxxxxxxxxxxxxxxxxxxx 
> 
> Internetwork Expert, Inc. 
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada) 
> 
>  
> 
> -----Original Message-----
> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
Of
> Lab
> Rat #109385382
> Sent: Sunday, November 12, 2006 1:10 PM
> To: cisco@xxxxxxxxxxxxxx; ccie >> Cisco certification;
> security@xxxxxxxxxxxxxx
> Subject: ICMP/Traceroute Question
> 
> What's the difference between ICMP unreachable versus ICMP
> port-unreachable?
> 
> And what are the icmp-types for Traceroute?  I have seen "echo-reply",
> "time-exceeded", "unreachable", "port-unreachable" and any combination
> of
> the four listed in various solutions.  If I'm asked a question to
allow
> Traceroute back in an ACL, which ones do I have to consider?
> 
> Thanks,
> 
> Ed
> 
>
_______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html


		
___________________________________________________________ 
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de