From: Rob Webber (rwebber@xxxxxxxxxxxx)
Date: Wed Jan 03 2001 - 16:50:42 GMT-3
On a related note, I found that if you wanted to place the inbound
access-group on R2's s0 port (rather than e0) you would have to allow icmp
unreachables as well as time-exceeded (or ttl-exceeded...in this case either
would work). Each router along the way will send back an icmp time/ttl
exceeded, but the last router (assuming you are tracerouting to a router)
will send back a port unreachable since it will actually get the packet that
has UDP port 334xx (with a TTL of 1), but it won't know what to do with it.
access-list 120 permit icmp any any unreachable
access-list 120 permit icmp any any time-exceeded
Rob.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Robert DeVito
Sent: Saturday, December 30, 2000 9:09 PM
To: ccielab@groupstudy.com
Subject: Permitting traceroute through a acl
e0 e0 s0 s0
R3----------------R2------/-------r1
R3 e0=192.168.2.2/24
r1 s0= 192.168.1.5/30
I have a inbound access-list on R2 ethernet port. I want R3 to be able to
tracerout to r1. I understand that a cisco router will start with udp port
33434 when it does a tracerout. This is how I was able to do it:
acc 101 permit udp host 192.168.2.2 gt 33433 fhost 192.168.1.5 gt 33343
It seems to work just fine, I just want to make sure this is what you guys
(and gals) would do if you came accross this in the lab.
Happy New Years!
Robert DeVito
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:22 GMT-3