Re: permit/deny traceroute......

From: Dan Pontrelli (dp595@xxxxxxxxxxxxx)
Date: Sat Aug 04 2001 - 19:20:26 GMT-3

• Next message: Devender Singh: "IPX:NLSP priority"
• Previous message: Dan Pontrelli: "ATM on 3810 ?"
• Maybe in reply to: Ron Royston: "Re: permit/deny traceroute......"
• Next in thread: Zeng Puyang: "Re: permit/deny traceroute......"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
This what I have on my 2514 that I use to connect to my cable provider.
It allows traceroute (and ping) originated from within my network.

interface Ethernet0
 ip address dhcp
 ip access-group 101 in
 ip nat outside
 no ip mroute-cache
 no cdp enable

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any packet-too-big

----- Original Message -----
From: "Philip Guo" <guo6688@hotmail.com>
To: <ccie6824@hotmail.com>; <itweber@earthlink.net>;
<ccielab@groupstudy.com>
Sent: Friday, August 03, 2001 11:27 PM
Subject: Re: permit/deny traceroute......

> The ACL for permit traceroute:
> acc 100 per udp an an gt 30000
> acc 100 per icmp an an echo-reply
>
> traceroute use udp port >30000 and recieve echo-reply from icmp
>
> Phillip
>
> >From: "Ron Royston" <ccie6824@hotmail.com>
> >Reply-To: "Ron Royston" <ccie6824@hotmail.com>
> >To: itweber@earthlink.net, ccielab@groupstudy.com
> >Subject: Re: permit/deny traceroute......
> >Date: Fri, 03 Aug 2001 14:30:35 -0500
> >
> >If I can't figure out why an application is malfunctioning and I know
there
> >is an ACL between the client and server, I'll put a 'deny any any log' at
> >the end of the ACL, or set a PIX to send SYSLOGs to my laptop. Both of
> >these methods will show what transport protocol port #s that are being
> >blocked. Once you have that info, you can modify the ACL.
> >
> >You'll notice that Cisco's traceroute uses variable/random UDP port
numbers
> >that must be permitted. It'll take some time, but use your log messages
to
> >get it working. Hope that helps.
> >
> >
> >>From: "Steven Weber" <itweber@earthlink.net>
> >>Reply-To: "Steven Weber" <itweber@earthlink.net>
> >>To: <ccielab@groupstudy.com>
> >>Subject: permit/deny traceroute......
> >>Date: Thu, 26 Jul 2001 11:02:09 -0400
> >>
> >>Hey Guys,
> >>
> >>Here's something I seem to be having a problem with. I can't properly
> >>configure an ACL for traceroute. I've tried the following with no joy:
> >>
> >>access-list 100 permit udp any any eq echo
> >>and
> >>access-list 100 permit icmp any any traceroute
> >>
> >>Anybody who can shed some light on this one ?
> >>
> >>Regards,
> >>**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Devender Singh: "IPX:NLSP priority"
• Previous message: Dan Pontrelli: "ATM on 3810 ?"
• Maybe in reply to: Ron Royston: "Re: permit/deny traceroute......"
• Next in thread: Zeng Puyang: "Re: permit/deny traceroute......"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:45 GMT-3