Re: set srcIP for ICMP replies, or for locally sourced connections?
- From: News Reader <user@xxxxxxxxxxx>
- Date: Sat, 29 Mar 2008 19:03:29 -0400
Phil Begriffenfeldt wrote:
I'd like to block traffic to my routers from outside my network; but still to allow my routers to traceroute/ping to hosts outside my
To address the ICMP requirements for the return path of a traceroute or ping, see my other response.
network; and reply to traceroutes sourced outside the network.
If the traceroute is inbound from a Windows host, ICMP echo requests will be used to carry out the traceroute. See my other response.
If the traceroute is from another Cisco device, UDP will be used to carry out the traceroute (as indicated by another post responder).
When I captured a Cisco traceroute, I noticed that the initial UDP source and destination port numbers were random, and that they were incremented with each and every packet sent.
Accommodating inbound traceroute from an external Cisco device appears to require very permissive ACLs.
Is there a way to force ICMP replies to come from a particular IP address? For example, something like "ip icmp source-interface loopback2", where the ICMP messages generated by my routers would come from a source IP that I can specify? That would help to hide interface IPs from casual miscreants.
Don't know of a means to deviate from the default behavior.
Alternatively, I could try to block all packets entering my network with destination IPs of my internal links. But that would block replies from simple outbound pings and traceroutes from router CLI sessions. If
Include layer 4 matching criteria in the ACEs (Accesses Control Entries) of your ACLs.
there were a way to bind locally-sourced ping and traceroute to a particular source IP on each router, then that would also be helpful.
The extended mode of both ping and traceroute, permit you to define the source IP address.
Perhaps blocking at the network edge is not productive, and I should be using Control Plane Policing for this? Router platform is mix of VXR and 3BXL.
--
Best Regards,
News Reader
.
- References:
- set srcIP for ICMP replies, or for locally sourced connections?
- From: Phil Begriffenfeldt
- set srcIP for ICMP replies, or for locally sourced connections?
- Prev by Date: Re: PIX 525 and swapping interface definitions
- Next by Date: FS Genuine Cisco SX GBIC's for $5.50 a piece (shipped to your door)
- Previous by thread: Re: set srcIP for ICMP replies, or for locally sourced connections?
- Next by thread: difference 30-0759-0_1_ and 30-0759-0_2_ GBICs
- Index(es):
Relevant Pages
|
