RE: trace question?

From: David H. Brown (DHBrown@xxxxxxxxxxxx)
Date: Sun Jun 11 2000 - 23:35:13 GMT-3

• Next message: Eric J. Stewart: "RE: Off Topic: Ebay Auctions"
• Previous message: Earl Aboytes: "RE: Netbios access-list resources"
• Next in thread: Dave Gingrich: "RE: trace question?"
• Maybe reply: Dave Gingrich: "RE: trace question?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Revisiting an OLD question:

I tried this in the lab and the traces are denied with !A !A !A replies. To
make it work, I modified my access list with the udp range:

R2 (firewall - ver 11.3(11a))
Extended IP access list 150
    permit icmp any any
    permit icmp any any port-unreachable
    permit icmp any any ttl-exceeded
    permit icmp any any echo-reply
    permit udp any any range 33400 33500 (3 matches)

Here are the logged errors - without the udp range line in the list:
01:19:39: %SEC-6-IPACCESSLOGP: list 150 denied udp 137.4.3.129(42449) ->
137.4.4.1(33434), 1 packet
01:19:42: %SEC-6-IPACCESSLOGP: list 150 denied udp 137.4.3.129(39192) ->
137.4.4.1(33436), 1 packet

Tracerouted from R5 (ver 11.2(12))

   FR ETH T/R
R5 -- R3 --- R2 ---
 ^ ^ ^ Traced port is here
 ^ ^ "firewall" is inbound access-group here
 ^ Traced from here

Any ideas why the port-unreachable or "icmp any any" didn't work??

David
(RTP Lab 6/15)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Gary Blankenship
Sent: Sunday, April 09, 2000 5:26 PM
To: Chad Marsh; zheng jiang gu
Cc: ccielab
Subject: Re: trace question?

Actually, here is the correct ACL (with comments):

! Permits messages from intermediate nodes in the path
access-list 101 permit icmp any any ttl-exceeded
! Microsoft tracert uses echo. Permit response from final destination.
access-list 101 permit icmp any any echo-reply
! Cisco traceroute uses high end UDP ports (default 33434). Permits
response from final destination.
access-list 101 permit icmp any any port-unreachable

Gary
----- Original Message -----
From: "Chad Marsh" <chad@wa.net>
To: "zheng jiang gu" <zjgu@ce-air.com>
Cc: "ccielab" <ccielab@groupstudy.com>
Sent: Monday, April 10, 2000 2:29 AM
Subject: Re: trace question?

> access-list 101 permit icmp any any ttl-exceeded
>
>
> Chad Marsh
>
>
> > zheng jiang gu wrote:
> >
> > Can anyone tell me how to make a access-list to permit only trace
> > message ?

• Next message: Eric J. Stewart: "RE: Off Topic: Ebay Auctions"
• Previous message: Earl Aboytes: "RE: Netbios access-list resources"
• Next in thread: Dave Gingrich: "RE: trace question?"
• Maybe reply: Dave Gingrich: "RE: trace question?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:41 GMT-3