From: David Prall (dcp@dcptech.com)
Date: Fri Oct 17 2008 - 20:52:29 ART
I was using the access-list inbound on the default-gateway. If I can send
the packets, then return traffic will be sent back to me. Why not stop it
locally.
Trace www.cisco.com
Translating "www.cisco.com"...domain server (192.168.107.3)
Type escape sequence to abort.
Tracing the route to www.cisco.com (198.133.219.25)
1 next-hop (192.168.255.9) !A * !A
You could also do a deny ip any any ttl eq 2, don't use 1 or routing goes
away. Of course modify the acl to use real address space and use eq 1.
trace www.cisco.com
Translating "www.cisco.com"...domain server (192.168.107.3)
Type escape sequence to abort.
Tracing the route to www.cisco.com (198.133.219.25)
1 next-hop (192.168.255.9) 0 msec 0 msec 8 msec
2 Outside (x.x.x.x) 8 msec 17 msec 17 msec
3 next-hop (192.168.255.9) !A * !A
David
-- http://dcp.dcptech.com> -----Original Message----- > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > Victor Cappuccio > Sent: Friday, October 17, 2008 5:56 PM > To: David Prall > Cc: ccie820@gmail.com; ccielab@groupstudy.com > Subject: Re: Access list question > > David, > > since the trace route application can see the TTL Exceeded it can not > increment the TTL Value. > > Traceroute actually uses the TTL exceeded message to track the path > through > the network from source to destination. Traceroute sets the TTL on it's > first set of packets to 1 and waits for the TTL exceeded response, > which > returns with the sender's IP Address (this is how both round trip time > to > that device, and its ip address are aquired). > > R3(config)#access-list 101 permit ip any host 2.2.2.2 > R3(config)#^Z > R3# > > R3#deb ip pac de 101 > IP packet debugging is on (detailed) for access list 101 > > R3#traceroute > Protocol [ip]: > Target IP address: 2.2.2.2 > Source address: > Numeric display [n]: > Timeout in seconds [3]: > Probe count [3]: > Minimum Time to Live [1]: > Maximum Time to Live [30]: > Port Number [33434]: > Loose, Strict, Record, Timestamp, Verbose[none]: > Type escape sequence to abort. > Tracing the route to 2.2.2.2 > R3#traceroute 2.2.2.2 > > Type escape sequence to abort. > Tracing the route to 2.2.2.2 > > 1 > IP: tableid=0, s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), routed > via > FIB > IP: s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), len 28, sending > UDP src=49262, dst=33434 * > IP: tableid=0, s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), routed > via > FIB > IP: s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), len 28, sending > UDP src=49263, dst=33435 * > IP: tableid=0, s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), routed > via > FIB > IP: s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), len 28, sending > UDP src=49264, dst=33436 * > 2 > IP: tableid=0, s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), routed > via > FIB > IP: s=10.1.13.3 (local), d=2.2.2.2 (FastEthernet0/1), len 28, sending > UDP src=49265, dst=33437 * > > CCIE_6#2 > [Resuming connection 2 to 1.1.1.1 ... ] > > R2(config)# > IP packet debugging is on (detailed) > R2(config)# > IP: s=10.1.12.1 (FastEthernet0/0), d=224.0.0.5, len 80, rcvd 0, > proto=89 > IP: s=10.1.12.2 (local), d=224.0.0.5 (FastEthernet0/0), len 80, sending > broad/multicast, proto=89 > R2(config)# > IP: s=10.1.12.1 (FastEthernet0/0), d=224.0.0.5, len 80, rcvd 0, > proto=89 > IP: s=10.1.12.2 (local), d=224.0.0.5 (FastEthernet0/0), len 80, sending > broad/multicast, proto=89 > R2(config)# > > while R1 always showed the following > > R1(config)# > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > UDP src=49280, dst=33452 > R1(config)# > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > UDP src=49281, dst=33453 > R1(config)# > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > UDP src=49282, dst=33454 > R1(config)# > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > UDP src=49283, dst=33455 > R1(config)# > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > UDP src=49284, dst=33456 > R1(config)# > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > UDP src=49285, dst=33457 > R1(config)# > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > UDP src=49286, dst=33458 > R1(config)# > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > UDP src=49287, dst=33459 > R1(config)# > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > UDP src=49288, dst=33460 > R1(config)# > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > UDP src=49289, dst=33461 > R1(config)# > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > UDP src=49290, dst=33462 > R1(config)# > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > UDP src=49291, dst=33463 > R1(config)# > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > UDP src=49292, dst=33464 > R1(config)# > IP: tableid=0, s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2 > (FastEthernet0/0), > routed via FIB > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2 (FastEthernet0/0), > g=10.1.12.2, > len 28, forward > UDP src=49293, dst=33465 > IP: tableid=0, s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2 > (FastEthernet0/0), > routed via FIB > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2 (FastEthernet0/0), > g=10.1.12.2, > len 28, forward > UDP src=49294, dst=33466 > R1(config)#! > > with this acl configured > > access-list 102 deny icmp any host 2.2.2.2 ttl-exceeded > access-list 102 deny icmp any host 2.2.2.2 port-unreachable > access-list 102 permit ip any any > > yes we can use the log at the end to get information, but better yet > since > this is a broadcast interface to use the log-input > > it is good to be safe from non regular users also :) > > > > thanks, > > > > > On Fri, Oct 17, 2008 at 11:32 PM, David Prall <dcp@dcptech.com> wrote: > > > Yes by changing the port you bypass the acl. Is the average user > going to > > change the port? Using the ttl-exceeded message will still allow the > > traffic > > to exit your network, you just won't accept it in return. What does > that do > > when your doing things other then traceroute. > > > > David > > > > -- > > http://dcp.dcptech.com > > > > > > > -----Original Message----- > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On > Behalf Of > > > Victor Cappuccio > > > Sent: Friday, October 17, 2008 5:00 PM > > > To: David Prall > > > Cc: ccie820@gmail.com; ccielab@groupstudy.com > > > Subject: Re: Access list question > > > > > > Hi David, > > > > > > I am able to still execute a traceroute to the destination with > that > > > access-list > > > > > > R3 -- R1 -- R2 > > > > > > > > > R3#traceroute > > > Protocol [ip]: > > > Target IP address: 2.2.2.2 > > > Source address: > > > Numeric display [n]: > > > Timeout in seconds [3]: > > > Probe count [3]: > > > Minimum Time to Live [1]: > > > Maximum Time to Live [30]: > > > Port Number [33434]: 33465 > > > Loose, Strict, Record, Timestamp, Verbose[none]: > > > Type escape sequence to abort. > > > Tracing the route to 2.2.2.2 > > > > > > 1 10.1.13.1 4 msec 0 msec 4 msec > > > 2 10.1.12.2 4 msec * 4 msec > > > R3# > > > > > > on R1 > > > > > > R1(config-if)#do show ip access-list 100 > > > Extended IP access list 100 > > > 10 deny udp any any range 33434 33464 (3 matches) > > > 20 permit ip any any (118 matches) > > > R1(config-if)# > > > > > > interface FastEthernet0/1 > > > ip address 10.1.13.1 255.255.255.0 > > > ip access-group 100 in > > > no ip route-cache cef > > > no ip route-cache > > > ip ospf network point-to-point > > > ip ospf hello-interval 1 > > > duplex auto > > > speed auto > > > ipv6 address 2001:13::1/64 > > > ipv6 ospf network point-to-point > > > ipv6 ospf hello-interval 1 > > > ipv6 ospf 1 area 0 > > > end > > > > > > I think that a possible solution for this is > > > > > > R1(config)#access-list 102 deny icmp any 2.2.2.2 0.0.0.0 ttl- > exceeded > > > R1(config)#access-list 102 permit ip any any > > > R1(config)#int f0/1 > > > R1(config-if)#ip access-gr 102 out > > > R1(config-if)# > > > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > > > UDP src=49215, dst=33434 > > > ICMP: dst (2.2.2.2) administratively prohibited unreachable sent to > > > 10.1.13.3 > > > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > > > UDP src=49216, dst=33435 > > > R1(config-if)# > > > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > > > UDP src=49217, dst=33436 > > > ICMP: dst (2.2.2.2) administratively prohibited unreachable sent to > > > 10.1.13.3 > > > R1(config-if)#int f0/1 > > > R1(config-if)#no ip unre > > > R1(config-if)# > > > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > > > UDP src=49223, dst=33434 > > > R1(config-if)# > > > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > > > UDP src=49224, dst=33435 > > > R1(config-if)# > > > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > > > UDP src=49225, dst=33436 > > > R1(config-if)# > > > IP: s=10.1.13.3 (FastEthernet0/1), d=2.2.2.2, len 28, access denied > > > UDP src=49226, dst=33437 > > > R1(config-if)# > > > > > > > > > R3#traceroute 2.2.2.2 > > > > > > Type escape sequence to abort. > > > Tracing the route to 2.2.2.2 > > > > > > 1 * * * > > > 2 > > > R3#ping 2.2.2.2 > > > > > > Type escape sequence to abort. > > > Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: > > > !!!!! > > > Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 > ms > > > R3# > > > > > > On Fri, Oct 17, 2008 at 10:26 PM, David Prall <dcp@dcptech.com> > wrote: > > > > > > > What kind of traceroute, different implementations work in > differnet > > > ways. > > > > Typical unix/cisco traceroute sends a packet to the destination > using > > > > udp/33434 and then increments them by one for each hop. So you > could > > > block > > > > everything destined to these ports. > > > > > > > > Access-list 100 deny udp any any range 33434-33464 > > > > Access-list 100 permit ip any any > > > > > > > > -- > > > > http://dcp.dcptech.com > > > > > > > > > -----Original Message----- > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On > > > Behalf Of > > > > > ccie820@gmail.com > > > > > Sent: Friday, October 17, 2008 3:55 PM > > > > > To: ccielab@groupstudy.com > > > > > Subject: Access list question > > > > > > > > > > *All, > > > > > > > > > > Is there way to block traceroutes and allow pings ? > > > > > Your help will be very much appreciated. > > > > > > > > > > GG > > > > > * > > > > > > > > > > > > > > > Blogs and organic groups at http://www.ccie.net > > > > > > > > > > > > > > _______________________________________________________________________ > > > > > Subscription information may be found at: > > > > > http://www.groupstudy.com/list/CCIELab.html > > > > > > > > > > > > Blogs and organic groups at http://www.ccie.net > > > > > > > > > > > > _______________________________________________________________________ > > > > Subscription information may be found at: > > > > http://www.groupstudy.com/list/CCIELab.html > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Victor Cappuccio > > > CCIE R/S# 20657 > > > CCSI# 30452 > > > www.anetworkerblog.com > > > > > > > > > Blogs and organic groups at http://www.ccie.net > > > > > > > _______________________________________________________________________ > > > Subscription information may be found at: > > > http://www.groupstudy.com/list/CCIELab.html > > > > > > > > > > > > > > > > > > > > > -- > Victor Cappuccio > CCIE R/S# 20657 > CCSI# 30452 > www.anetworkerblog.com > > > Blogs and organic groups at http://www.ccie.net > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:21 ARST