Thanks Poitr! That finally made me understand the difference between the two flavours of traceroute.
Br Jimmy 2010/6/11 Piotr Kaluzny <[email protected]> > ICMP TTL Exceeded message is used in all versions of traceroute - this is > to discover all the routers in the transit path. For Windows-based > traceroute you have to account for ICMP Echo reply messages - this is the > response to ICMP Echos sent. > > For Unix traceroute, UDP probes are sent, as I mentioned before. This means > that if the port is closed, ICMP Port Unreachable message will be sent back > to the source of the probe (UDP is connectionless). In this particular task, > all ICMP unreachables messages (Type 3) were allowed in, because on the ASA > there is no way to specify individual messages (Codes) for this Type (you > can do it on routers, though). > > Short recap on this : > Windows traceroute - Account for ICMP TTL Exceeded + ICMP Echo Replies > Unix traceroute - Account for ICMP TTL Exceeded + ICMP Port Unreachable > > In this particular example you don't have to bother about opening holes > for UDP probes (33434-33464), because this is allowed by default as the > traffic is coming from higher to lower interface security level. > > Regards, > Piotr > > > > > On Fri, Jun 11, 2010 at 10:48 AM, Jimmy Larsson <[email protected]>wrote: > >> Thats exactly my point. So why does DSG open for ICMP-traffic, not UDP? >> >> /Jimmy >> >> >> 2010/6/11 Piotr Kaluzny <[email protected]> >> >>> Unix-based traceroute sends UDP probes (Port Unreachable is expected to >>> be received from the end device), whereas Windows-based sends ICMP Echo >>> Requests (expects Echo Replies from the end device). >>> >>> Regards, >>> Piotr K >>> >>> >>> >>> On Fri, Jun 11, 2010 at 10:08 AM, Jimmy Larsson <[email protected]>wrote: >>> >>>> But then, whats the difference between unix and windows traceroute >>>> according to port/protocol usage? >>>> >>>> http://en.wikipedia.org/wiki/Traceroute >>>> >>>> http://www.topbits.com/how-unix-and-windows-traceroutes-differ.html >>>> >>>> <http://www.topbits.com/how-unix-and-windows-traceroutes-differ.html>Br >>>> Jimmy >>>> >>>> >>>> 2010/6/11 Piotr Kaluzny <[email protected]> >>>> >>>> Jimmy, >>>>> >>>>> ICMP_OBJ group covers Unix traceroute. It uses ICMP Type 3 Code 3 (Port >>>>> Unreachable) and ICMP Type 11 Code 0 (Time Exceeded; TTL exceeded in >>>>> transit). >>>>> >>>>> Cheers, >>>>> Piotr K >>>>> >>>>> >>>>> On Fri, Jun 11, 2010 at 8:36 AM, Jimmy Larsson >>>>> <[email protected]>wrote: >>>>> >>>>>> Hi! >>>>>> >>>>>> In Lab 18 task 1.6 we should allow unix-style traceroute thru the ASA. >>>>>> DSG opens icmp-traffic but as far as I know unix-style traceroute uses >>>>>> udp-ports. What am I missing here? >>>>>> >>>>>> Br Jimmy >>>>>> >>>>>> >>>>>> -- >>>>>> ------- >>>>>> Jimmy Larsson >>>>>> Ryavagen 173 >>>>>> s-26030 Vallakra >>>>>> Sweden >>>>>> http://blogg.kvistofta.nu >>>>>> ------- >>>>>> >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit www.ipexpert.com >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Piotr Kaluzny >>>>> CCIE #25665 (Security), CCSP, CCNP >>>>> Sr. Support Engineer - IPexpert, Inc. >>>>> URL: http://www.IPexpert.com >>>>> >>>> >>>> >>>> >>>> -- >>>> ------- >>>> Jimmy Larsson >>>> Ryavagen 173 >>>> s-26030 Vallakra >>>> Sweden >>>> http://blogg.kvistofta.nu >>>> ------- >>>> >>> >>> >>> >>> -- >>> Piotr Kaluzny >>> CCIE #25665 (Security), CCSP, CCNP >>> Sr. Support Engineer - IPexpert, Inc. >>> URL: http://www.IPexpert.com >>> >> >> >> >> -- >> ------- >> Jimmy Larsson >> Ryavagen 173 >> s-26030 Vallakra >> Sweden >> http://blogg.kvistofta.nu >> ------- >> > > > > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
