Reflexive access-lists for traceroute... Possible?
Gurus of all things Cisco...
I want to set up an ACL that denys inbound traceroute both to my router and internal networks. I know that on some Unix and Linux operating systems, traceroute uses UDP packets to causes routers along the path to generate ICMP message types Time Exceeded and Unreachable. This would tell me that I need to block UDP on port range 33400 through 34400. i.e.: access-list 100 deny udp any any range 33400 34400 log
Here's the tricky part... I want to allow traceroute to be sent FROM my internal network for various purposes. If I arbitrarily block those port ranges on an inbound ACL, won't the return reply be blocked?
This leads me to think that a reflexive ACL for traceroute is the answer so I can permit traceroute to return ONLY if initiated from the internal network.. But I can't find enough info in the RFC to determine the following:
1. Does the port number change during the session (like TFTP i.e. application source port to destination port 69 ---> Application source port to originator's source ports as destination).. If this is that case, reflexive ACLs won't work and the packet will be denied.
2. OR... does at traceroute from these machines only go out as a UDP packet to generate the ICMP message and "return" as an ICMP packet? If this is true, I assume my current ACLS that permit ICMP echo replies, and deny ICMP echos are insufficient and need to be modified to permit type 3 (time-exceeded) and type 11 (Unreachable). Do I also need to specifically deny type 30 (traceroute)?
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.