Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > set srcIP for ICMP replies, or for locally sourced connections?

Reply
Thread Tools

set srcIP for ICMP replies, or for locally sourced connections?

 
 
Phil Begriffenfeldt
Guest
Posts: n/a
 
      03-27-2008
I'd like to block traffic to my routers from outside my network; but
still to allow my routers to traceroute/ping to hosts outside my
network; and reply to traceroutes sourced outside the network.

Is there a way to force ICMP replies to come from a particular IP
address? For example, something like "ip icmp source-interface
loopback2", where the ICMP messages generated by my routers would come
from a source IP that I can specify? That would help to hide interface
IPs from casual miscreants.

Alternatively, I could try to block all packets entering my network with
destination IPs of my internal links. But that would block replies from
simple outbound pings and traceroutes from router CLI sessions. If
there were a way to bind locally-sourced ping and traceroute to a
particular source IP on each router, then that would also be helpful.

Perhaps blocking at the network edge is not productive, and I should be
using Control Plane Policing for this? Router platform is mix of VXR
and 3BXL.
 
Reply With Quote
 
 
 
 
News Reader
Guest
Posts: n/a
 
      03-27-2008
Attach an ACL to the WAN interface (direction "in") that specifies to
which IP addresses (interfaces) you will permit ICMP.

The direction is specified by the keyword "in", in the following example:

ip access-group <acl-name> in

For security reasons, you should actually specify the "types" of ICMP
you wish to permit (e.g.: echo-reply, time-exceeded, unreachable,
administratively-prohibited, packet-too-big, source-quench,
parameter-problem). Some types of ICMP should definitely be denied.

Other info of interest:

Extended ping (via the CLI) permits you to specify the source IP address
that will be used in the outbound ping, which then becomes the
destination IP address in the reply packet.

"Inspection" applied on a LAN interface will open temporary dynamic
holes in the return path ACLs to accommodate replies to pings sent from
internal hosts.


Best Regards,
News Reader


Phil Begriffenfeldt wrote:
> I'd like to block traffic to my routers from outside my network; but
> still to allow my routers to traceroute/ping to hosts outside my
> network; and reply to traceroutes sourced outside the network.
>
> Is there a way to force ICMP replies to come from a particular IP
> address? For example, something like "ip icmp source-interface
> loopback2", where the ICMP messages generated by my routers would come
> from a source IP that I can specify? That would help to hide interface
> IPs from casual miscreants.
>
> Alternatively, I could try to block all packets entering my network with
> destination IPs of my internal links. But that would block replies from
> simple outbound pings and traceroutes from router CLI sessions. If
> there were a way to bind locally-sourced ping and traceroute to a
> particular source IP on each router, then that would also be helpful.
>
> Perhaps blocking at the network edge is not productive, and I should be
> using Control Plane Policing for this? Router platform is mix of VXR
> and 3BXL.

 
Reply With Quote
 
 
 
 
Thrill5
Guest
Posts: n/a
 
      03-28-2008
Traceroute doesn't use ICMP, it sends udp packets on port 16667 (usually),
increasing the TTL by one. The router that gets the packet with a TTL of 1
will reply with an ICMP TTL exceeded message.


"News Reader" <(E-Mail Removed)> wrote in message
news:tlRGj.45284$(E-Mail Removed)...
> Attach an ACL to the WAN interface (direction "in") that specifies to
> which IP addresses (interfaces) you will permit ICMP.
>
> The direction is specified by the keyword "in", in the following example:
>
> ip access-group <acl-name> in
>
> For security reasons, you should actually specify the "types" of ICMP you
> wish to permit (e.g.: echo-reply, time-exceeded, unreachable,
> administratively-prohibited, packet-too-big, source-quench,
> parameter-problem). Some types of ICMP should definitely be denied.
>
> Other info of interest:
>
> Extended ping (via the CLI) permits you to specify the source IP address
> that will be used in the outbound ping, which then becomes the destination
> IP address in the reply packet.
>
> "Inspection" applied on a LAN interface will open temporary dynamic holes
> in the return path ACLs to accommodate replies to pings sent from internal
> hosts.
>
>
> Best Regards,
> News Reader
>
>
> Phil Begriffenfeldt wrote:
>> I'd like to block traffic to my routers from outside my network; but
>> still to allow my routers to traceroute/ping to hosts outside my network;
>> and reply to traceroutes sourced outside the network.
>>
>> Is there a way to force ICMP replies to come from a particular IP
>> address? For example, something like "ip icmp source-interface
>> loopback2", where the ICMP messages generated by my routers would come
>> from a source IP that I can specify? That would help to hide interface
>> IPs from casual miscreants.
>>
>> Alternatively, I could try to block all packets entering my network with
>> destination IPs of my internal links. But that would block replies from
>> simple outbound pings and traceroutes from router CLI sessions. If there
>> were a way to bind locally-sourced ping and traceroute to a particular
>> source IP on each router, then that would also be helpful.
>>
>> Perhaps blocking at the network edge is not productive, and I should be
>> using Control Plane Policing for this? Router platform is mix of VXR and
>> 3BXL.



 
Reply With Quote
 
News Reader
Guest
Posts: n/a
 
      03-28-2008
Beg to differ.

It's system dependent.

I just performed a traceroute from a Windows XP host through my IPSec+
GRE VPN, and captured it with Wireshark to confirm my beliefs.

A Windows XP (and probably other Windows paltforms) uses ICMP for
traceroute.

Best Regards,
News Reader

Thrill5 wrote:
> Traceroute doesn't use ICMP, it sends udp packets on port 16667 (usually),
> increasing the TTL by one. The router that gets the packet with a TTL of 1
> will reply with an ICMP TTL exceeded message.
>
>
> "News Reader" <(E-Mail Removed)> wrote in message
> news:tlRGj.45284$(E-Mail Removed)...
>> Attach an ACL to the WAN interface (direction "in") that specifies to
>> which IP addresses (interfaces) you will permit ICMP.
>>
>> The direction is specified by the keyword "in", in the following example:
>>
>> ip access-group <acl-name> in
>>
>> For security reasons, you should actually specify the "types" of ICMP you
>> wish to permit (e.g.: echo-reply, time-exceeded, unreachable,
>> administratively-prohibited, packet-too-big, source-quench,
>> parameter-problem). Some types of ICMP should definitely be denied.
>>
>> Other info of interest:
>>
>> Extended ping (via the CLI) permits you to specify the source IP address
>> that will be used in the outbound ping, which then becomes the destination
>> IP address in the reply packet.
>>
>> "Inspection" applied on a LAN interface will open temporary dynamic holes
>> in the return path ACLs to accommodate replies to pings sent from internal
>> hosts.
>>
>>
>> Best Regards,
>> News Reader
>>
>>
>> Phil Begriffenfeldt wrote:
>>> I'd like to block traffic to my routers from outside my network; but
>>> still to allow my routers to traceroute/ping to hosts outside my network;
>>> and reply to traceroutes sourced outside the network.
>>>
>>> Is there a way to force ICMP replies to come from a particular IP
>>> address? For example, something like "ip icmp source-interface
>>> loopback2", where the ICMP messages generated by my routers would come
>>> from a source IP that I can specify? That would help to hide interface
>>> IPs from casual miscreants.
>>>
>>> Alternatively, I could try to block all packets entering my network with
>>> destination IPs of my internal links. But that would block replies from
>>> simple outbound pings and traceroutes from router CLI sessions. If there
>>> were a way to bind locally-sourced ping and traceroute to a particular
>>> source IP on each router, then that would also be helpful.
>>>
>>> Perhaps blocking at the network edge is not productive, and I should be
>>> using Control Plane Policing for this? Router platform is mix of VXR and
>>> 3BXL.

>
>

 
Reply With Quote
 
Barry Margolin
Guest
Posts: n/a
 
      03-29-2008
In article <cI_Gj.45330$(E-Mail Removed)>,
News Reader <(E-Mail Removed)> wrote:

> Beg to differ.
>
> It's system dependent.
>
> I just performed a traceroute from a Windows XP host through my IPSec+
> GRE VPN, and captured it with Wireshark to confirm my beliefs.
>
> A Windows XP (and probably other Windows paltforms) uses ICMP for
> traceroute.


He said he wants to "allow my routers to traceroute/ping to hosts". He
didn't say anything about allowing Windows to TRACERT. So Windows's
behavior is not relevant, only Cisco's.

>
> Best Regards,
> News Reader
>
> Thrill5 wrote:
> > Traceroute doesn't use ICMP, it sends udp packets on port 16667 (usually),
> > increasing the TTL by one. The router that gets the packet with a TTL of 1
> > will reply with an ICMP TTL exceeded message.
> >
> >
> > "News Reader" <(E-Mail Removed)> wrote in message
> > news:tlRGj.45284$(E-Mail Removed)...
> >> Attach an ACL to the WAN interface (direction "in") that specifies to
> >> which IP addresses (interfaces) you will permit ICMP.
> >>
> >> The direction is specified by the keyword "in", in the following example:
> >>
> >> ip access-group <acl-name> in
> >>
> >> For security reasons, you should actually specify the "types" of ICMP you
> >> wish to permit (e.g.: echo-reply, time-exceeded, unreachable,
> >> administratively-prohibited, packet-too-big, source-quench,
> >> parameter-problem). Some types of ICMP should definitely be denied.
> >>
> >> Other info of interest:
> >>
> >> Extended ping (via the CLI) permits you to specify the source IP address
> >> that will be used in the outbound ping, which then becomes the destination
> >> IP address in the reply packet.
> >>
> >> "Inspection" applied on a LAN interface will open temporary dynamic holes
> >> in the return path ACLs to accommodate replies to pings sent from internal
> >> hosts.
> >>
> >>
> >> Best Regards,
> >> News Reader
> >>
> >>
> >> Phil Begriffenfeldt wrote:
> >>> I'd like to block traffic to my routers from outside my network; but
> >>> still to allow my routers to traceroute/ping to hosts outside my network;
> >>> and reply to traceroutes sourced outside the network.
> >>>
> >>> Is there a way to force ICMP replies to come from a particular IP
> >>> address? For example, something like "ip icmp source-interface
> >>> loopback2", where the ICMP messages generated by my routers would come
> >>> from a source IP that I can specify? That would help to hide interface
> >>> IPs from casual miscreants.
> >>>
> >>> Alternatively, I could try to block all packets entering my network with
> >>> destination IPs of my internal links. But that would block replies from
> >>> simple outbound pings and traceroutes from router CLI sessions. If there
> >>> were a way to bind locally-sourced ping and traceroute to a particular
> >>> source IP on each router, then that would also be helpful.
> >>>
> >>> Perhaps blocking at the network edge is not productive, and I should be
> >>> using Control Plane Policing for this? Router platform is mix of VXR and
> >>> 3BXL.

> >
> >


--
Barry Margolin, http://www.velocityreviews.com/forums/(E-Mail Removed)
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
 
Reply With Quote
 
News Reader
Guest
Posts: n/a
 
      03-29-2008
Yes, you are right.

However, he did also say "and reply to traceroutes sourced outside the
network", which could be from Windows clients.

I addressed one of the two scenarios, as did other responders. ;>)

Next time I'll read his post more thoroughly.

Best Regards,
News Reader


Barry Margolin wrote:
> In article <cI_Gj.45330$(E-Mail Removed)>,
> News Reader <(E-Mail Removed)> wrote:
>
>> Beg to differ.
>>
>> It's system dependent.
>>
>> I just performed a traceroute from a Windows XP host through my IPSec+
>> GRE VPN, and captured it with Wireshark to confirm my beliefs.
>>
>> A Windows XP (and probably other Windows paltforms) uses ICMP for
>> traceroute.

>
> He said he wants to "allow my routers to traceroute/ping to hosts". He
> didn't say anything about allowing Windows to TRACERT. So Windows's
> behavior is not relevant, only Cisco's.
>
>> Best Regards,
>> News Reader
>>
>> Thrill5 wrote:
>>> Traceroute doesn't use ICMP, it sends udp packets on port 16667 (usually),
>>> increasing the TTL by one. The router that gets the packet with a TTL of 1
>>> will reply with an ICMP TTL exceeded message.
>>>
>>>
>>> "News Reader" <(E-Mail Removed)> wrote in message
>>> news:tlRGj.45284$(E-Mail Removed)...
>>>> Attach an ACL to the WAN interface (direction "in") that specifies to
>>>> which IP addresses (interfaces) you will permit ICMP.
>>>>
>>>> The direction is specified by the keyword "in", in the following example:
>>>>
>>>> ip access-group <acl-name> in
>>>>
>>>> For security reasons, you should actually specify the "types" of ICMP you
>>>> wish to permit (e.g.: echo-reply, time-exceeded, unreachable,
>>>> administratively-prohibited, packet-too-big, source-quench,
>>>> parameter-problem). Some types of ICMP should definitely be denied.
>>>>
>>>> Other info of interest:
>>>>
>>>> Extended ping (via the CLI) permits you to specify the source IP address
>>>> that will be used in the outbound ping, which then becomes the destination
>>>> IP address in the reply packet.
>>>>
>>>> "Inspection" applied on a LAN interface will open temporary dynamic holes
>>>> in the return path ACLs to accommodate replies to pings sent from internal
>>>> hosts.
>>>>
>>>>
>>>> Best Regards,
>>>> News Reader
>>>>
>>>>
>>>> Phil Begriffenfeldt wrote:
>>>>> I'd like to block traffic to my routers from outside my network; but
>>>>> still to allow my routers to traceroute/ping to hosts outside my network;
>>>>> and reply to traceroutes sourced outside the network.
>>>>>
>>>>> Is there a way to force ICMP replies to come from a particular IP
>>>>> address? For example, something like "ip icmp source-interface
>>>>> loopback2", where the ICMP messages generated by my routers would come
>>>>> from a source IP that I can specify? That would help to hide interface
>>>>> IPs from casual miscreants.
>>>>>
>>>>> Alternatively, I could try to block all packets entering my network with
>>>>> destination IPs of my internal links. But that would block replies from
>>>>> simple outbound pings and traceroutes from router CLI sessions. If there
>>>>> were a way to bind locally-sourced ping and traceroute to a particular
>>>>> source IP on each router, then that would also be helpful.
>>>>>
>>>>> Perhaps blocking at the network edge is not productive, and I should be
>>>>> using Control Plane Policing for this? Router platform is mix of VXR and
>>>>> 3BXL.
>>>

>

 
Reply With Quote
 
News Reader
Guest
Posts: n/a
 
      03-29-2008
Phil Begriffenfeldt wrote:
> I'd like to block traffic to my routers from outside my network; but
> still to allow my routers to traceroute/ping to hosts outside my


To address the ICMP requirements for the return path of a traceroute or
ping, see my other response.

> network; and reply to traceroutes sourced outside the network.


If the traceroute is inbound from a Windows host, ICMP echo requests
will be used to carry out the traceroute. See my other response.

If the traceroute is from another Cisco device, UDP will be used to
carry out the traceroute (as indicated by another post responder).

When I captured a Cisco traceroute, I noticed that the initial UDP
source and destination port numbers were random, and that they were
incremented with each and every packet sent.

Accommodating inbound traceroute from an external Cisco device appears
to require very permissive ACLs.

>
> Is there a way to force ICMP replies to come from a particular IP
> address? For example, something like "ip icmp source-interface
> loopback2", where the ICMP messages generated by my routers would come
> from a source IP that I can specify? That would help to hide interface
> IPs from casual miscreants.


Don't know of a means to deviate from the default behavior.

>
> Alternatively, I could try to block all packets entering my network with
> destination IPs of my internal links. But that would block replies from
> simple outbound pings and traceroutes from router CLI sessions. If


Include layer 4 matching criteria in the ACEs (Accesses Control Entries)
of your ACLs.

> there were a way to bind locally-sourced ping and traceroute to a
> particular source IP on each router, then that would also be helpful.


The extended mode of both ping and traceroute, permit you to define the
source IP address.

>
> Perhaps blocking at the network edge is not productive, and I should be
> using Control Plane Policing for this? Router platform is mix of VXR
> and 3BXL.



--
Best Regards,
News Reader
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
CSM command similar to CSS sticky-srcip-dstport joebenz Cisco 0 02-15-2007 10:31 PM
Pings and PIX messages 302020: Built ICMP - 302021: Teardown ICMP Lots of them.... Scott Townsend Cisco 2 05-04-2006 02:31 PM
How to ... Dropdownlist sourced by a DB inside a datalist ?? Antonio D'Ottavio ASP .Net 1 09-16-2005 12:19 PM
How to insert a dropdownlist sourced by a dB inside a datalist row Antonio D'Ottavio ASP .Net 0 09-12-2005 07:31 AM
Definition of "sourced by" J R Cisco 2 08-20-2004 12:31 AM



Advertisments