ICMP, Traceroute and CBAC

Lets say we got a router which is connecting to an insecure (Internet 😉 ) network and we’d like to be able to do ICMP and Traceroute for troubleshooting but we dont want to create static ACLs. I for myself think it somehow feels a bit unsafe to allow everything the router needs for Ping and Traceroute and have it open all the time. Another option is to manually create the holes every time we need it or even remove the ACLs from the interface during that time but I dont really like one of those options. Additionally we dont want to allow the devices behind that router to be able to use Ping and Traceroute towards the Internet.
Based on those points CBAC could be a viable solution to have the router dynamically open the ports only when its needed and close them afterwards.

The sample network is simple:

cbac-icmp-and-traceroute1

R1 acts as a client in our internal network and R2 is the perimeter Router which is going to filter every traffic towards the internet, except locally generated ICMP and Traceroute packets. Just to keep it simple R2 will not permit anything else than Traceroute and ICMP but it shouldnt be a problem to change the configuration to allow other applications (HTTP or other stuff). Just keep in mind that for every session the router has to allocate 600 bytes and the more ACL entries the router has to work though the more CPU is needed so keep it as simple as possible 🙂

R1, R3 and R4 have a basic configuration to assure end-to-end connectivity:

R1
interface FastEthernet0/0
 ip address 116.1.12.1 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 116.1.12.2

R3
interface FastEthernet0/0
 ip address 116.1.23.3 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 116.1.34.3 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 116.1.23.2

R4
interface FastEthernet0/0
 ip address 116.1.34.4 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 116.1.34.3

CBAC is as already mentioned configured on R2:

ip inspect name INSPECT icmp router-traffic
!
interface FastEthernet0/0
 ip address 116.1.12.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 116.1.23.2 255.255.255.0
 ip access-group INBOUND in
 ip access-group OUTBOUND out
 ip inspect INSPECT out
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 116.1.23.3
!
ip access-list extended INBOUND
 permit icmp any host 116.1.23.2 port-unreachable
 permit icmp any host 116.1.23.2 time-exceeded
 deny   ip any any log
ip access-list extended OUTBOUND
 deny   ip any any log

This configuration will allow R2 to use Traceroute and Ping towards R3 and R4 but the Access-Lists will prevent every other routers ICMP or Traceroute through R2. The nice part on that one is, even though Traceroute uses a mix of UDP and ICMP packets, we do not have to do anything with the UDP packets. Simply cause the router locally generates the UDP packets, they never touch the outgoing ACL and since the routers on the path to the destination (and the destination itself) only respond with ICMP messages we do not have to open (with CBAC) any UDP session backwards into R2. If we do configure CBAC for UDP we would only see some half open sessions (no two way communication, R2 only sends the packets but never receives an answer). So in short, Traceroute only needs the ICMP messages port-unreachable and time-exceeded to be allowed within the incoming ACL.

Just to show that it works:

R2#ping 116.1.34.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 116.1.34.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/35/40 ms
R2#sh ip inspect sessions
Established Sessions
 Session 6557315C (116.1.23.2:8)=>(116.1.34.4:0) icmp SIS_OPEN

R2#traceroute 116.1.34.4

Type escape sequence to abort.
Tracing the route to 116.1.34.4

  1 116.1.23.3 16 msec 16 msec 12 msec
  2 116.1.34.4 28 msec *  44 msec
R2#sh ip inspect sessions

R4#ping 116.1.23.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 116.1.23.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

*Mar  1 00:15:18.835: %SEC-6-IPACCESSLOGDP: list INBOUND denied icmp 116.1.34.4 -> 116.1.23.2 (ping 116.1.34.4

R1#ping 116.1.34.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 116.1.34.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

*Mar  1 00:15:59.259: %SEC-6-IPACCESSLOGDP: list OUTBOUND denied icmp 116.1.12.1 -> 116.1.34.4 (0/0), 1 packet

Only thing worth to mention is that the show ip inspect session command does not show any open sessions after a successfull Traceroute.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s