From: Jason Sinclair (sinclairj@xxxxxxxxxxxxxxx)
Date: Tue Aug 07 2001 - 19:44:20 GMT-3
Zeng,
Prohib is for packets that are blocked by a firewall - the RFC's state that
if a apcket is blocked by a firewall the correct action is to send an
ICMP-admin-prohib to the source. Most people never use this. Also too-big is
just that, if a net can't frag and a packet is too big it will send this - I
don't think this is widely used.
Regards,
Jason Sinclair
Team Leader - NSG
POWERTEL Limited
Level 11, 55 Clarence Street, SYDNEY
Phone: 61-2-8264-3820
Mobile: 0416 105 858
jasons@powertel.net.au
-----Original Message-----
From: Zeng Puyang [mailto:zbridge98@yahoo.com]
Sent: Tuesday, 7 August 2001 17:21
To: Dan Pontrelli; ccielab@groupstudy.com
Subject: Re: permit/deny traceroute......
hi, according to the posts in achieve, icmp traceroute
refere to one RFC traceroute solution never being implemented.
Could you please tell me why we should have icmp
packet-too-big here? And what's icmp administratively-prohibited doing for?
Thanks advance
Zeng Puyang
----- Original Message -----
From: "Dan Pontrelli" <dp595@optonline.net>
To: "Philip Guo" <guo6688@hotmail.com>;
<ccie6824@hotmail.com>; <itweber@earthlink.net>; <ccielab@groupstudy.com>
Sent: Sunday, August 05, 2001 6:20 AM
Subject: Re: permit/deny traceroute......
> This what I have on my 2514 that I use to connect to my
cable provider.
> It allows traceroute (and ping) originated from within my
network.
>
> interface Ethernet0
> ip address dhcp
> ip access-group 101 in
> ip nat outside
> no ip mroute-cache
> no cdp enable
>
> access-list 101 permit icmp any any echo-reply
> access-list 101 permit icmp any any traceroute
> access-list 101 permit icmp any any time-exceeded
> access-list 101 permit icmp any any unreachable
> access-list 101 permit icmp any any
administratively-prohibited
> access-list 101 permit icmp any any packet-too-big
>
>
>
>
>
>
>
> ----- Original Message -----
> From: "Philip Guo" <guo6688@hotmail.com>
> To: <ccie6824@hotmail.com>; <itweber@earthlink.net>;
> <ccielab@groupstudy.com>
> Sent: Friday, August 03, 2001 11:27 PM
> Subject: Re: permit/deny traceroute......
>
>
> > The ACL for permit traceroute:
> > acc 100 per udp an an gt 30000
> > acc 100 per icmp an an echo-reply
> >
> > traceroute use udp port >30000 and recieve echo-reply
from icmp
> >
> > Phillip
> >
> > >From: "Ron Royston" <ccie6824@hotmail.com>
> > >Reply-To: "Ron Royston" <ccie6824@hotmail.com>
> > >To: itweber@earthlink.net, ccielab@groupstudy.com
> > >Subject: Re: permit/deny traceroute......
> > >Date: Fri, 03 Aug 2001 14:30:35 -0500
> > >
> > >If I can't figure out why an application is
malfunctioning and I know
> there
> > >is an ACL between the client and server, I'll put a
'deny any any log' at
> > >the end of the ACL, or set a PIX to send SYSLOGs to my
laptop. Both of
> > >these methods will show what transport protocol port #s
that are being
> > >blocked. Once you have that info, you can modify the
ACL.
> > >
> > >You'll notice that Cisco's traceroute uses
variable/random UDP port
> numbers
> > >that must be permitted. It'll take some time, but use
your log messages
> to
> > >get it working. Hope that helps.
> > >
> > >
> > >>From: "Steven Weber" <itweber@earthlink.net>
> > >>Reply-To: "Steven Weber" <itweber@earthlink.net>
> > >>To: <ccielab@groupstudy.com>
> > >>Subject: permit/deny traceroute......
> > >>Date: Thu, 26 Jul 2001 11:02:09 -0400
> > >>
> > >>Hey Guys,
> > >>
> > >>Here's something I seem to be having a problem with. I
can't properly
> > >>configure an ACL for traceroute. I've tried the
following with no joy:
> > >>
> > >>access-list 100 permit udp any any eq echo
> > >>and
> > >>access-list 100 permit icmp any any traceroute
> > >>
> > >>Anybody who can shed some light on this one ?
> > >>
> > >>Regards,
> > >>**Please
read:http://www.groupstudy.com/list/posting.html
> >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:46 GMT-3