Re: trace question?

From: Fred Ingham (fningham@xxxxxxxxxxxxxxxx)
Date: Tue Jun 13 2000 - 13:16:34 GMT-3

• Next message: John Conzone: "first attempt"
• Previous message: Rahmlow, Howard F.: "RE: Question on Snapshot routing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
The access-list has permit icmp any any first, the following
lines will never be reached. In addition the access-list is inbound
from the traceroute source - the traceroute source generates udp
packets, not icmp packets. Thus all probes
from the source will be denyed. The return packets from the traced
address and all routers in between will be
either icmp time exceeded messages or icmp port unreachable
messages.

So R3 will return a time exceeded message to R5 for each probe with the
ttl=1, and R2 will return an icmp port unreachable
for each probe with ttl=2. Using defaults, R5 will generate
packets on udp ports 33434, 33435, and 33436 with a ttl of 1 and udp
ports 33437, 33438, 33439 with a ttl of 2.

HTH

"David H. Brown" wrote:
>
> Revisiting an OLD question:
>
> I tried this in the lab and the traces are denied with !A !A !A replies. To
> make it work, I modified my access list with the udp range:
>
> R2 (firewall - ver 11.3(11a))
> Extended IP access list 150
> permit icmp any any
> permit icmp any any port-unreachable
> permit icmp any any ttl-exceeded
> permit icmp any any echo-reply
> permit udp any any range 33400 33500 (3 matches)
>
> Here are the logged errors - without the udp range line in the list:
> 01:19:39: %SEC-6-IPACCESSLOGP: list 150 denied udp 137.4.3.129(42449) ->
> 137.4.4.1(33434), 1 packet
> 01:19:42: %SEC-6-IPACCESSLOGP: list 150 denied udp 137.4.3.129(39192) ->
> 137.4.4.1(33436), 1 packet
>
> Tracerouted from R5 (ver 11.2(12))
>
> FR ETH T/R
> R5 -- R3 --- R2 ---
> ^ ^ ^ Traced port is here
> ^ ^ "firewall" is inbound access-group here
> ^ Traced from here
>
> Any ideas why the port-unreachable or "icmp any any" didn't work??
>
> David
> (RTP Lab 6/15)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Gary Blankenship
> Sent: Sunday, April 09, 2000 5:26 PM
> To: Chad Marsh; zheng jiang gu
> Cc: ccielab
> Subject: Re: trace question?
>
> Actually, here is the correct ACL (with comments):
>
> ! Permits messages from intermediate nodes in the path
> access-list 101 permit icmp any any ttl-exceeded
> ! Microsoft tracert uses echo. Permit response from final destination.
> access-list 101 permit icmp any any echo-reply
> ! Cisco traceroute uses high end UDP ports (default 33434). Permits
> response from final destination.
> access-list 101 permit icmp any any port-unreachable
>
> Gary
> ----- Original Message -----
> From: "Chad Marsh" <chad@wa.net>
> To: "zheng jiang gu" <zjgu@ce-air.com>
> Cc: "ccielab" <ccielab@groupstudy.com>
> Sent: Monday, April 10, 2000 2:29 AM
> Subject: Re: trace question?
>
> > access-list 101 permit icmp any any ttl-exceeded
> >
> >
> > Chad Marsh
> >
> >
> > > zheng jiang gu wrote:
> > >
> > > Can anyone tell me how to make a access-list to permit only trace
> > > message ?

• Next message: John Conzone: "first attempt"
• Previous message: Rahmlow, Howard F.: "RE: Question on Snapshot routing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:42 GMT-3