From: Philip Guo (guo6688@xxxxxxxxxxx)
Date: Sat Aug 04 2001 - 00:27:07 GMT-3
The ACL for permit traceroute:
acc 100 per udp an an gt 30000
acc 100 per icmp an an echo-reply
traceroute use udp port >30000 and recieve echo-reply from icmp
Phillip
>From: "Ron Royston" <ccie6824@hotmail.com>
>Reply-To: "Ron Royston" <ccie6824@hotmail.com>
>To: itweber@earthlink.net, ccielab@groupstudy.com
>Subject: Re: permit/deny traceroute......
>Date: Fri, 03 Aug 2001 14:30:35 -0500
>
>If I can't figure out why an application is malfunctioning and I know there
>is an ACL between the client and server, I'll put a 'deny any any log' at
>the end of the ACL, or set a PIX to send SYSLOGs to my laptop. Both of
>these methods will show what transport protocol port #s that are being
>blocked. Once you have that info, you can modify the ACL.
>
>You'll notice that Cisco's traceroute uses variable/random UDP port numbers
>that must be permitted. It'll take some time, but use your log messages to
>get it working. Hope that helps.
>
>
>>From: "Steven Weber" <itweber@earthlink.net>
>>Reply-To: "Steven Weber" <itweber@earthlink.net>
>>To: <ccielab@groupstudy.com>
>>Subject: permit/deny traceroute......
>>Date: Thu, 26 Jul 2001 11:02:09 -0400
>>
>>Hey Guys,
>>
>>Here's something I seem to be having a problem with. I can't properly
>>configure an ACL for traceroute. I've tried the following with no joy:
>>
>>access-list 100 permit udp any any eq echo
>>and
>>access-list 100 permit icmp any any traceroute
>>
>>Anybody who can shed some light on this one ?
>>
>>Regards,
>>**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:45 GMT-3