set srcIP for ICMP replies, or for locally sourced connections?

Discussion in 'Cisco' started by Phil Begriffenfeldt, Mar 27, 2008.

  1. I'd like to block traffic to my routers from outside my network; but
    still to allow my routers to traceroute/ping to hosts outside my
    network; and reply to traceroutes sourced outside the network.

    Is there a way to force ICMP replies to come from a particular IP
    address? For example, something like "ip icmp source-interface
    loopback2", where the ICMP messages generated by my routers would come
    from a source IP that I can specify? That would help to hide interface
    IPs from casual miscreants.

    Alternatively, I could try to block all packets entering my network with
    destination IPs of my internal links. But that would block replies from
    simple outbound pings and traceroutes from router CLI sessions. If
    there were a way to bind locally-sourced ping and traceroute to a
    particular source IP on each router, then that would also be helpful.

    Perhaps blocking at the network edge is not productive, and I should be
    using Control Plane Policing for this? Router platform is mix of VXR
    and 3BXL.
     
    Phil Begriffenfeldt, Mar 27, 2008
    #1
    1. Advertising

  2. Phil Begriffenfeldt

    News Reader Guest

    Attach an ACL to the WAN interface (direction "in") that specifies to
    which IP addresses (interfaces) you will permit ICMP.

    The direction is specified by the keyword "in", in the following example:

    ip access-group <acl-name> in

    For security reasons, you should actually specify the "types" of ICMP
    you wish to permit (e.g.: echo-reply, time-exceeded, unreachable,
    administratively-prohibited, packet-too-big, source-quench,
    parameter-problem). Some types of ICMP should definitely be denied.

    Other info of interest:

    Extended ping (via the CLI) permits you to specify the source IP address
    that will be used in the outbound ping, which then becomes the
    destination IP address in the reply packet.

    "Inspection" applied on a LAN interface will open temporary dynamic
    holes in the return path ACLs to accommodate replies to pings sent from
    internal hosts.


    Best Regards,
    News Reader


    Phil Begriffenfeldt wrote:
    > I'd like to block traffic to my routers from outside my network; but
    > still to allow my routers to traceroute/ping to hosts outside my
    > network; and reply to traceroutes sourced outside the network.
    >
    > Is there a way to force ICMP replies to come from a particular IP
    > address? For example, something like "ip icmp source-interface
    > loopback2", where the ICMP messages generated by my routers would come
    > from a source IP that I can specify? That would help to hide interface
    > IPs from casual miscreants.
    >
    > Alternatively, I could try to block all packets entering my network with
    > destination IPs of my internal links. But that would block replies from
    > simple outbound pings and traceroutes from router CLI sessions. If
    > there were a way to bind locally-sourced ping and traceroute to a
    > particular source IP on each router, then that would also be helpful.
    >
    > Perhaps blocking at the network edge is not productive, and I should be
    > using Control Plane Policing for this? Router platform is mix of VXR
    > and 3BXL.
     
    News Reader, Mar 27, 2008
    #2
    1. Advertising

  3. Phil Begriffenfeldt

    Thrill5 Guest

    Traceroute doesn't use ICMP, it sends udp packets on port 16667 (usually),
    increasing the TTL by one. The router that gets the packet with a TTL of 1
    will reply with an ICMP TTL exceeded message.


    "News Reader" <> wrote in message
    news:tlRGj.45284$...
    > Attach an ACL to the WAN interface (direction "in") that specifies to
    > which IP addresses (interfaces) you will permit ICMP.
    >
    > The direction is specified by the keyword "in", in the following example:
    >
    > ip access-group <acl-name> in
    >
    > For security reasons, you should actually specify the "types" of ICMP you
    > wish to permit (e.g.: echo-reply, time-exceeded, unreachable,
    > administratively-prohibited, packet-too-big, source-quench,
    > parameter-problem). Some types of ICMP should definitely be denied.
    >
    > Other info of interest:
    >
    > Extended ping (via the CLI) permits you to specify the source IP address
    > that will be used in the outbound ping, which then becomes the destination
    > IP address in the reply packet.
    >
    > "Inspection" applied on a LAN interface will open temporary dynamic holes
    > in the return path ACLs to accommodate replies to pings sent from internal
    > hosts.
    >
    >
    > Best Regards,
    > News Reader
    >
    >
    > Phil Begriffenfeldt wrote:
    >> I'd like to block traffic to my routers from outside my network; but
    >> still to allow my routers to traceroute/ping to hosts outside my network;
    >> and reply to traceroutes sourced outside the network.
    >>
    >> Is there a way to force ICMP replies to come from a particular IP
    >> address? For example, something like "ip icmp source-interface
    >> loopback2", where the ICMP messages generated by my routers would come
    >> from a source IP that I can specify? That would help to hide interface
    >> IPs from casual miscreants.
    >>
    >> Alternatively, I could try to block all packets entering my network with
    >> destination IPs of my internal links. But that would block replies from
    >> simple outbound pings and traceroutes from router CLI sessions. If there
    >> were a way to bind locally-sourced ping and traceroute to a particular
    >> source IP on each router, then that would also be helpful.
    >>
    >> Perhaps blocking at the network edge is not productive, and I should be
    >> using Control Plane Policing for this? Router platform is mix of VXR and
    >> 3BXL.
     
    Thrill5, Mar 28, 2008
    #3
  4. Phil Begriffenfeldt

    News Reader Guest

    Beg to differ.

    It's system dependent.

    I just performed a traceroute from a Windows XP host through my IPSec+
    GRE VPN, and captured it with Wireshark to confirm my beliefs.

    A Windows XP (and probably other Windows paltforms) uses ICMP for
    traceroute.

    Best Regards,
    News Reader

    Thrill5 wrote:
    > Traceroute doesn't use ICMP, it sends udp packets on port 16667 (usually),
    > increasing the TTL by one. The router that gets the packet with a TTL of 1
    > will reply with an ICMP TTL exceeded message.
    >
    >
    > "News Reader" <> wrote in message
    > news:tlRGj.45284$...
    >> Attach an ACL to the WAN interface (direction "in") that specifies to
    >> which IP addresses (interfaces) you will permit ICMP.
    >>
    >> The direction is specified by the keyword "in", in the following example:
    >>
    >> ip access-group <acl-name> in
    >>
    >> For security reasons, you should actually specify the "types" of ICMP you
    >> wish to permit (e.g.: echo-reply, time-exceeded, unreachable,
    >> administratively-prohibited, packet-too-big, source-quench,
    >> parameter-problem). Some types of ICMP should definitely be denied.
    >>
    >> Other info of interest:
    >>
    >> Extended ping (via the CLI) permits you to specify the source IP address
    >> that will be used in the outbound ping, which then becomes the destination
    >> IP address in the reply packet.
    >>
    >> "Inspection" applied on a LAN interface will open temporary dynamic holes
    >> in the return path ACLs to accommodate replies to pings sent from internal
    >> hosts.
    >>
    >>
    >> Best Regards,
    >> News Reader
    >>
    >>
    >> Phil Begriffenfeldt wrote:
    >>> I'd like to block traffic to my routers from outside my network; but
    >>> still to allow my routers to traceroute/ping to hosts outside my network;
    >>> and reply to traceroutes sourced outside the network.
    >>>
    >>> Is there a way to force ICMP replies to come from a particular IP
    >>> address? For example, something like "ip icmp source-interface
    >>> loopback2", where the ICMP messages generated by my routers would come
    >>> from a source IP that I can specify? That would help to hide interface
    >>> IPs from casual miscreants.
    >>>
    >>> Alternatively, I could try to block all packets entering my network with
    >>> destination IPs of my internal links. But that would block replies from
    >>> simple outbound pings and traceroutes from router CLI sessions. If there
    >>> were a way to bind locally-sourced ping and traceroute to a particular
    >>> source IP on each router, then that would also be helpful.
    >>>
    >>> Perhaps blocking at the network edge is not productive, and I should be
    >>> using Control Plane Policing for this? Router platform is mix of VXR and
    >>> 3BXL.

    >
    >
     
    News Reader, Mar 28, 2008
    #4
  5. In article <cI_Gj.45330$>,
    News Reader <> wrote:

    > Beg to differ.
    >
    > It's system dependent.
    >
    > I just performed a traceroute from a Windows XP host through my IPSec+
    > GRE VPN, and captured it with Wireshark to confirm my beliefs.
    >
    > A Windows XP (and probably other Windows paltforms) uses ICMP for
    > traceroute.


    He said he wants to "allow my routers to traceroute/ping to hosts". He
    didn't say anything about allowing Windows to TRACERT. So Windows's
    behavior is not relevant, only Cisco's.

    >
    > Best Regards,
    > News Reader
    >
    > Thrill5 wrote:
    > > Traceroute doesn't use ICMP, it sends udp packets on port 16667 (usually),
    > > increasing the TTL by one. The router that gets the packet with a TTL of 1
    > > will reply with an ICMP TTL exceeded message.
    > >
    > >
    > > "News Reader" <> wrote in message
    > > news:tlRGj.45284$...
    > >> Attach an ACL to the WAN interface (direction "in") that specifies to
    > >> which IP addresses (interfaces) you will permit ICMP.
    > >>
    > >> The direction is specified by the keyword "in", in the following example:
    > >>
    > >> ip access-group <acl-name> in
    > >>
    > >> For security reasons, you should actually specify the "types" of ICMP you
    > >> wish to permit (e.g.: echo-reply, time-exceeded, unreachable,
    > >> administratively-prohibited, packet-too-big, source-quench,
    > >> parameter-problem). Some types of ICMP should definitely be denied.
    > >>
    > >> Other info of interest:
    > >>
    > >> Extended ping (via the CLI) permits you to specify the source IP address
    > >> that will be used in the outbound ping, which then becomes the destination
    > >> IP address in the reply packet.
    > >>
    > >> "Inspection" applied on a LAN interface will open temporary dynamic holes
    > >> in the return path ACLs to accommodate replies to pings sent from internal
    > >> hosts.
    > >>
    > >>
    > >> Best Regards,
    > >> News Reader
    > >>
    > >>
    > >> Phil Begriffenfeldt wrote:
    > >>> I'd like to block traffic to my routers from outside my network; but
    > >>> still to allow my routers to traceroute/ping to hosts outside my network;
    > >>> and reply to traceroutes sourced outside the network.
    > >>>
    > >>> Is there a way to force ICMP replies to come from a particular IP
    > >>> address? For example, something like "ip icmp source-interface
    > >>> loopback2", where the ICMP messages generated by my routers would come
    > >>> from a source IP that I can specify? That would help to hide interface
    > >>> IPs from casual miscreants.
    > >>>
    > >>> Alternatively, I could try to block all packets entering my network with
    > >>> destination IPs of my internal links. But that would block replies from
    > >>> simple outbound pings and traceroutes from router CLI sessions. If there
    > >>> were a way to bind locally-sourced ping and traceroute to a particular
    > >>> source IP on each router, then that would also be helpful.
    > >>>
    > >>> Perhaps blocking at the network edge is not productive, and I should be
    > >>> using Control Plane Policing for this? Router platform is mix of VXR and
    > >>> 3BXL.

    > >
    > >


    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE don't copy me on replies, I'll read them in the group ***
     
    Barry Margolin, Mar 29, 2008
    #5
  6. Phil Begriffenfeldt

    News Reader Guest

    Yes, you are right.

    However, he did also say "and reply to traceroutes sourced outside the
    network", which could be from Windows clients.

    I addressed one of the two scenarios, as did other responders. ;>)

    Next time I'll read his post more thoroughly.

    Best Regards,
    News Reader


    Barry Margolin wrote:
    > In article <cI_Gj.45330$>,
    > News Reader <> wrote:
    >
    >> Beg to differ.
    >>
    >> It's system dependent.
    >>
    >> I just performed a traceroute from a Windows XP host through my IPSec+
    >> GRE VPN, and captured it with Wireshark to confirm my beliefs.
    >>
    >> A Windows XP (and probably other Windows paltforms) uses ICMP for
    >> traceroute.

    >
    > He said he wants to "allow my routers to traceroute/ping to hosts". He
    > didn't say anything about allowing Windows to TRACERT. So Windows's
    > behavior is not relevant, only Cisco's.
    >
    >> Best Regards,
    >> News Reader
    >>
    >> Thrill5 wrote:
    >>> Traceroute doesn't use ICMP, it sends udp packets on port 16667 (usually),
    >>> increasing the TTL by one. The router that gets the packet with a TTL of 1
    >>> will reply with an ICMP TTL exceeded message.
    >>>
    >>>
    >>> "News Reader" <> wrote in message
    >>> news:tlRGj.45284$...
    >>>> Attach an ACL to the WAN interface (direction "in") that specifies to
    >>>> which IP addresses (interfaces) you will permit ICMP.
    >>>>
    >>>> The direction is specified by the keyword "in", in the following example:
    >>>>
    >>>> ip access-group <acl-name> in
    >>>>
    >>>> For security reasons, you should actually specify the "types" of ICMP you
    >>>> wish to permit (e.g.: echo-reply, time-exceeded, unreachable,
    >>>> administratively-prohibited, packet-too-big, source-quench,
    >>>> parameter-problem). Some types of ICMP should definitely be denied.
    >>>>
    >>>> Other info of interest:
    >>>>
    >>>> Extended ping (via the CLI) permits you to specify the source IP address
    >>>> that will be used in the outbound ping, which then becomes the destination
    >>>> IP address in the reply packet.
    >>>>
    >>>> "Inspection" applied on a LAN interface will open temporary dynamic holes
    >>>> in the return path ACLs to accommodate replies to pings sent from internal
    >>>> hosts.
    >>>>
    >>>>
    >>>> Best Regards,
    >>>> News Reader
    >>>>
    >>>>
    >>>> Phil Begriffenfeldt wrote:
    >>>>> I'd like to block traffic to my routers from outside my network; but
    >>>>> still to allow my routers to traceroute/ping to hosts outside my network;
    >>>>> and reply to traceroutes sourced outside the network.
    >>>>>
    >>>>> Is there a way to force ICMP replies to come from a particular IP
    >>>>> address? For example, something like "ip icmp source-interface
    >>>>> loopback2", where the ICMP messages generated by my routers would come
    >>>>> from a source IP that I can specify? That would help to hide interface
    >>>>> IPs from casual miscreants.
    >>>>>
    >>>>> Alternatively, I could try to block all packets entering my network with
    >>>>> destination IPs of my internal links. But that would block replies from
    >>>>> simple outbound pings and traceroutes from router CLI sessions. If there
    >>>>> were a way to bind locally-sourced ping and traceroute to a particular
    >>>>> source IP on each router, then that would also be helpful.
    >>>>>
    >>>>> Perhaps blocking at the network edge is not productive, and I should be
    >>>>> using Control Plane Policing for this? Router platform is mix of VXR and
    >>>>> 3BXL.
    >>>

    >
     
    News Reader, Mar 29, 2008
    #6
  7. Phil Begriffenfeldt

    News Reader Guest

    Phil Begriffenfeldt wrote:
    > I'd like to block traffic to my routers from outside my network; but
    > still to allow my routers to traceroute/ping to hosts outside my


    To address the ICMP requirements for the return path of a traceroute or
    ping, see my other response.

    > network; and reply to traceroutes sourced outside the network.


    If the traceroute is inbound from a Windows host, ICMP echo requests
    will be used to carry out the traceroute. See my other response.

    If the traceroute is from another Cisco device, UDP will be used to
    carry out the traceroute (as indicated by another post responder).

    When I captured a Cisco traceroute, I noticed that the initial UDP
    source and destination port numbers were random, and that they were
    incremented with each and every packet sent.

    Accommodating inbound traceroute from an external Cisco device appears
    to require very permissive ACLs.

    >
    > Is there a way to force ICMP replies to come from a particular IP
    > address? For example, something like "ip icmp source-interface
    > loopback2", where the ICMP messages generated by my routers would come
    > from a source IP that I can specify? That would help to hide interface
    > IPs from casual miscreants.


    Don't know of a means to deviate from the default behavior.

    >
    > Alternatively, I could try to block all packets entering my network with
    > destination IPs of my internal links. But that would block replies from
    > simple outbound pings and traceroutes from router CLI sessions. If


    Include layer 4 matching criteria in the ACEs (Accesses Control Entries)
    of your ACLs.

    > there were a way to bind locally-sourced ping and traceroute to a
    > particular source IP on each router, then that would also be helpful.


    The extended mode of both ping and traceroute, permit you to define the
    source IP address.

    >
    > Perhaps blocking at the network edge is not productive, and I should be
    > using Control Plane Policing for this? Router platform is mix of VXR
    > and 3BXL.



    --
    Best Regards,
    News Reader
     
    News Reader, Mar 29, 2008
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jesper Jenssen

    Basic question: Pix & ICMP echo replies

    Jesper Jenssen, Nov 21, 2003, in forum: Cisco
    Replies:
    3
    Views:
    7,127
    Walter Roberson
    Nov 21, 2003
  2. Mark Matheney
    Replies:
    1
    Views:
    911
  3. David
    Replies:
    3
    Views:
    20,453
    Anthony
    Jul 21, 2005
  4. joebenz
    Replies:
    0
    Views:
    660
    joebenz
    Feb 15, 2007
  5. janet
    Replies:
    11
    Views:
    1,814
    Beauregard T. Shagnasty
    Dec 17, 2007
Loading...

Share This Page