Re: how to block traeroute ouput but permit ping ...

From: Fred Ingham (fningham@xxxxxxxxxxxxxxxx)
Date: Sun Feb 25 2001 - 23:31:51 GMT-3

• Next message: Scott Morris: "RE: More IPSec probs..."
• Previous message: Devender Singh: "RE: More IPSec probs..."
• Maybe in reply to: JZ: "how to block traeroute ouput but permit ping ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
To amplify another reply - traceroute from a cisco router doesn't use
icmp, it uses
udp with the default starting port of 33434.

HTH, Fred.

JZ wrote:
>
> Hi, here is an issue I have been working on but no lucky..
>
> rL:s0 ----------------s1:rM:s0 --------------- s0:rR
> "tr < rR:s0 IP>" ACL# 100 /out
> apply on rM:s0
>
> Q: apply access-group 100 OUT on rM:s0 to block the output
> of traceroute from rL toward rR:s0, but allow rL ping
> rR
>
> My cfg. on rM:
> int s0
> ip access-group 100 out
> !
> acl 100 deny icmp any Any eq traceroute
> acl 100 permit ip any Any
> !
> While verify, from rL: using " tr <rR:s0's IP> "
> I can still see the output from both routers: rM and rR.
> not just rM.
>
> Was anything wrong in my cfg. ?
>
> Thanks in advance.
>
> JZ
> Sunday
>

• Next message: Scott Morris: "RE: More IPSec probs..."
• Previous message: Devender Singh: "RE: More IPSec probs..."
• Maybe in reply to: JZ: "how to block traeroute ouput but permit ping ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:01 GMT-3