From: Dave Gingrich (Dave@xxxxxxx)
Date: Tue Jun 13 2000 - 20:42:17 GMT-3
At 10:35 PM 6/11/00 -0400, David H. Brown wrote:
>Revisiting an OLD question:
>
>I tried this in the lab and the traces are denied with !A !A !A replies. To
>make it work, I modified my access list with the udp range:
>
>R2 (firewall - ver 11.3(11a))
>Extended IP access list 150
> permit icmp any any
> permit icmp any any port-unreachable
> permit icmp any any ttl-exceeded
> permit icmp any any echo-reply
> permit udp any any range 33400 33500 (3 matches)
>
>Any ideas why the port-unreachable or "icmp any any" didn't work??
The answer is in Gary's quoted message that you included below...
Cisco (and most Unix) use udp traceroute. Windows uses icmp for tracert
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Gary Blankenship
>Sent: Sunday, April 09, 2000 5:26 PM
>To: Chad Marsh; zheng jiang gu
>Cc: ccielab
>Subject: Re: trace question?
>
>
>Actually, here is the correct ACL (with comments):
>
>! Permits messages from intermediate nodes in the path
>access-list 101 permit icmp any any ttl-exceeded
>! Microsoft tracert uses echo. Permit response from final destination.
>access-list 101 permit icmp any any echo-reply
>! Cisco traceroute uses high end UDP ports (default 33434). Permits
>response from final destination.
>access-list 101 permit icmp any any port-unreachable
=====================
Dave Gingrich, K9DC
Indianapolis, Indiana
Dave@dcg.org
=====================
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:41 GMT-3