Re: set srcIP for ICMP replies, or for locally sourced connections?

Traceroute doesn't use ICMP, it sends udp packets on port 16667 (usually),
increasing the TTL by one. The router that gets the packet with a TTL of 1
will reply with an ICMP TTL exceeded message.


"News Reader" <user@xxxxxxxxxxx> wrote in message
news:tlRGj.45284$612.24970@xxxxxxxxxxxxxxxxxxxxx
Attach an ACL to the WAN interface (direction "in") that specifies to
which IP addresses (interfaces) you will permit ICMP.

The direction is specified by the keyword "in", in the following example:

ip access-group <acl-name> in

For security reasons, you should actually specify the "types" of ICMP you
wish to permit (e.g.: echo-reply, time-exceeded, unreachable,
administratively-prohibited, packet-too-big, source-quench,
parameter-problem). Some types of ICMP should definitely be denied.

Other info of interest:

Extended ping (via the CLI) permits you to specify the source IP address
that will be used in the outbound ping, which then becomes the destination
IP address in the reply packet.

"Inspection" applied on a LAN interface will open temporary dynamic holes
in the return path ACLs to accommodate replies to pings sent from internal
hosts.


Best Regards,
News Reader


Phil Begriffenfeldt wrote:
I'd like to block traffic to my routers from outside my network; but
still to allow my routers to traceroute/ping to hosts outside my network;
and reply to traceroutes sourced outside the network.

Is there a way to force ICMP replies to come from a particular IP
address? For example, something like "ip icmp source-interface
loopback2", where the ICMP messages generated by my routers would come
from a source IP that I can specify? That would help to hide interface
IPs from casual miscreants.

Alternatively, I could try to block all packets entering my network with
destination IPs of my internal links. But that would block replies from
simple outbound pings and traceroutes from router CLI sessions. If there
were a way to bind locally-sourced ping and traceroute to a particular
source IP on each router, then that would also be helpful.

Perhaps blocking at the network edge is not productive, and I should be
using Control Plane Policing for this? Router platform is mix of VXR and
3BXL.


.

Relevant Pages

  • Re: icmp type 11 not go via nat POSTROUTING table
    ... everthing is working as it "should", there is no reason for a "ICMP ... I generated two test icmp packets ... This is how traceroute knows the IP of the ... If x.y.z.t is a private IP address, it cannot be tracerouted anyway, so ...
    (comp.os.linux.networking)
  • Why some hosts in Internet not prefer to be traceroute-d ?
    ... i.e. not to send a TTL exceeded ICMP packet back to the host. ... like dropping TTL exceeded ICMP packets (dropping such packets in ... I used to traceroute in unprivileged user mode, ... What's the difference between a router and a endpoint host from ...
    (comp.os.linux.networking)
  • Re: Strange web site loading/DNS problem
    ... If the site sends out packets of 1500 bytes, and there is a router between ... When I can't get to the site, I get the typical traceroute: ... I have also changed the DNS server info in my router, ...
    (microsoft.public.windows.server.dns)
  • Re: set srcIP for ICMP replies, or for locally sourced connections?
    ... I just performed a traceroute from a Windows XP host through my IPSec+ GRE VPN, and captured it with Wireshark to confirm my beliefs. ... The router that gets the packet with a TTL of 1 will reply with an ICMP TTL exceeded message. ... Extended ping permits you to specify the source IP address that will be used in the outbound ping, which then becomes the destination IP address in the reply packet. ... But that would block replies from simple outbound pings and traceroutes from router CLI sessions. ...
    (comp.dcom.sys.cisco)
  • Re: tracert from A to B dies just before reaching B -- and vice versa?
    ... traceroute died just before reaching 67.43.158.218. ... the default is to use UDP packets. ... come as a surprise to you, but neither ICMP or UDP is used for SSH ... Dozens of explanations - most probably is the fact that firewall rules ...
    (comp.os.linux.networking)