From: Ronnie Royston (RonnieR@xxxxxxxxxxxxxxxxx)
Date: Sat Dec 30 2000 - 18:23:53 GMT-3
If I remember correctly, this is how I did it ( I haven't tested this
particular access-list ).
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any tos normal
access-list 100 permit icmp any any ttl-exceeded
access-list 100 deny ip any any
If I remember right, there was a "tos" parameter (I think normal) that
covers all of those UDP ports. I remember that I needed to permit the
ttl-exceeded packets. Good luck.
-----Original Message-----
From: Robert DeVito [mailto:robertdevito@hotmail.com]
Sent: Saturday, December 30, 2000 1:09 PM
To: ccielab@groupstudy.com
Subject: Permitting traceroute through a acl
e0 e0 s0 s0
R3----------------R2------/-------r1
R3 e0=192.168.2.2/24
r1 s0= 192.168.1.5/30
I have a inbound access-list on R2 ethernet port. I want R3 to be able to
tracerout to r1. I understand that a cisco router will start with udp port
33434 when it does a tracerout. This is how I was able to do it:
acc 101 permit udp host 192.168.2.2 gt 33433 fhost 192.168.1.5 gt 33343
It seems to work just fine, I just want to make sure this is what you guys
(and gals) would do if you came accross this in the lab.
Happy New Years!
Robert DeVito
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:26:13 GMT-3