From: Zeng Puyang (zbridge98@xxxxxxxxx)
Date: Tue Aug 07 2001 - 04:21:06 GMT-3
hi, according to the posts in achieve, icmp traceroute refere to one RFC tracer
oute solution never being implemented.
Could you please tell me why we should have icmp packet-too-big here? And what'
s icmp administratively-prohibited doing for?
Thanks advance
Zeng Puyang
----- Original Message -----
From: "Dan Pontrelli" <dp595@optonline.net>
To: "Philip Guo" <guo6688@hotmail.com>; <ccie6824@hotmail.com>; <itweber@earthl
ink.net>; <ccielab@groupstudy.com>
Sent: Sunday, August 05, 2001 6:20 AM
Subject: Re: permit/deny traceroute......
> This what I have on my 2514 that I use to connect to my cable provider.
> It allows traceroute (and ping) originated from within my network.
>
> interface Ethernet0
> ip address dhcp
> ip access-group 101 in
> ip nat outside
> no ip mroute-cache
> no cdp enable
>
> access-list 101 permit icmp any any echo-reply
> access-list 101 permit icmp any any traceroute
> access-list 101 permit icmp any any time-exceeded
> access-list 101 permit icmp any any unreachable
> access-list 101 permit icmp any any administratively-prohibited
> access-list 101 permit icmp any any packet-too-big
>
>
>
>
>
>
>
> ----- Original Message -----
> From: "Philip Guo" <guo6688@hotmail.com>
> To: <ccie6824@hotmail.com>; <itweber@earthlink.net>;
> <ccielab@groupstudy.com>
> Sent: Friday, August 03, 2001 11:27 PM
> Subject: Re: permit/deny traceroute......
>
>
> > The ACL for permit traceroute:
> > acc 100 per udp an an gt 30000
> > acc 100 per icmp an an echo-reply
> >
> > traceroute use udp port >30000 and recieve echo-reply from icmp
> >
> > Phillip
> >
> > >From: "Ron Royston" <ccie6824@hotmail.com>
> > >Reply-To: "Ron Royston" <ccie6824@hotmail.com>
> > >To: itweber@earthlink.net, ccielab@groupstudy.com
> > >Subject: Re: permit/deny traceroute......
> > >Date: Fri, 03 Aug 2001 14:30:35 -0500
> > >
> > >If I can't figure out why an application is malfunctioning and I know
> there
> > >is an ACL between the client and server, I'll put a 'deny any any log' at
> > >the end of the ACL, or set a PIX to send SYSLOGs to my laptop. Both of
> > >these methods will show what transport protocol port #s that are being
> > >blocked. Once you have that info, you can modify the ACL.
> > >
> > >You'll notice that Cisco's traceroute uses variable/random UDP port
> numbers
> > >that must be permitted. It'll take some time, but use your log messages
> to
> > >get it working. Hope that helps.
> > >
> > >
> > >>From: "Steven Weber" <itweber@earthlink.net>
> > >>Reply-To: "Steven Weber" <itweber@earthlink.net>
> > >>To: <ccielab@groupstudy.com>
> > >>Subject: permit/deny traceroute......
> > >>Date: Thu, 26 Jul 2001 11:02:09 -0400
> > >>
> > >>Hey Guys,
> > >>
> > >>Here's something I seem to be having a problem with. I can't properly
> > >>configure an ACL for traceroute. I've tried the following with no joy:
> > >>
> > >>access-list 100 permit udp any any eq echo
> > >>and
> > >>access-list 100 permit icmp any any traceroute
> > >>
> > >>Anybody who can shed some light on this one ?
> > >>
> > >>Regards,
> > >>**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:46 GMT-3