Re: permit/deny traceroute......

From: Ron Royston (ccie6824@xxxxxxxxxxx)
Date: Fri Aug 03 2001 - 16:30:35 GMT-3

• Next message: Schmitt, Greg: "RE: different level passwords"
• Previous message: Libone Mhalanga: "RE: CCIE Experience from the depths of below..."
• Next in thread: Philip Guo: "Re: permit/deny traceroute......"
• Maybe reply: Philip Guo: "Re: permit/deny traceroute......"
• Maybe reply: Dan Pontrelli: "Re: permit/deny traceroute......"
• Maybe reply: Zeng Puyang: "Re: permit/deny traceroute......"
• Maybe reply: Dan Pontrelli: "Re: permit/deny traceroute......"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
If I can't figure out why an application is malfunctioning and I know there
is an ACL between the client and server, I'll put a 'deny any any log' at
the end of the ACL, or set a PIX to send SYSLOGs to my laptop. Both of
these methods will show what transport protocol port #s that are being
blocked. Once you have that info, you can modify the ACL.

You'll notice that Cisco's traceroute uses variable/random UDP port numbers
that must be permitted. It'll take some time, but use your log messages to
get it working. Hope that helps.

>From: "Steven Weber" <itweber@earthlink.net>
>Reply-To: "Steven Weber" <itweber@earthlink.net>
>To: <ccielab@groupstudy.com>
>Subject: permit/deny traceroute......
>Date: Thu, 26 Jul 2001 11:02:09 -0400
>
>Hey Guys,
>
>Here's something I seem to be having a problem with. I can't properly
>configure an ACL for traceroute. I've tried the following with no joy:
>
>access-list 100 permit udp any any eq echo
>and
>access-list 100 permit icmp any any traceroute
>
>Anybody who can shed some light on this one ?
>
>Regards,
>**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Schmitt, Greg: "RE: different level passwords"
• Previous message: Libone Mhalanga: "RE: CCIE Experience from the depths of below..."
• Next in thread: Philip Guo: "Re: permit/deny traceroute......"
• Maybe reply: Philip Guo: "Re: permit/deny traceroute......"
• Maybe reply: Dan Pontrelli: "Re: permit/deny traceroute......"
• Maybe reply: Zeng Puyang: "Re: permit/deny traceroute......"
• Maybe reply: Dan Pontrelli: "Re: permit/deny traceroute......"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:44 GMT-3