Re: traceroute problem

From: Ralph Simmons (ciscoag2000@yahoo.com)
Date: Mon Sep 29 2003 - 16:36:08 GMT-3

• Next message: Ken.Farrington@barclayscapital.com: "RE: BGP BOLD Statements"
• Previous message: ccie2be: "Spanning-tree extend system-id"
• Maybe in reply to: Ralph Simmons: "traceroute problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Here is the link I was able to find off cisco. It is actually about ios firewall. SO what do you think the other parts of the access list are for then?
So the proper accesslist would be
 
inbound
permit icmp any any unreachable
permit icmp any any time-exceeded
 
outbound
permit udp any any
permit udp any any
 
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a0080094111.shtml

Arifur Rahman <arahman@cisco.com> wrote:Hi
Here is my test result

r7-----(access-g 101 in)-----r8

r8#sh access-lists
Extended IP access list 101
permit icmp any any traceroute
permit icmp any any unreachable (18 matches)
permit icmp any any echo-reply
permit icmp any any administratively-prohibited
permit icmp any any echo
permit icmp any any time-exceeded (9 matches)
permit udp any any (3 matches)
r8#

I observed following match in access-list

1. trace from r8 to r7 at valid address: permit icmp any any unreachable
2. trace from r8 to r7 at not existing address: permit icmp any any
time-exceeded
3. trace from r7 to r8 at valid address: permit udp any any
3. trace from r7 to r8 at not existing address: permit udp any any

So looks like your list is not complete and have some redundence. Can you
please send me the pointer of cisco.com

thanks - Arif

At 08:53 AM 9/29/2003 -0700, Ralph Simmons wrote:
>Hey guys,
>I am doing a lab where i am supposed to allow traceroute in allong with
>some other protocols. The traceroute part is screwing me up i
>think. How many lines do i need to configure this inbound. Here is
>what i am able to find off cisco.com but it seems like way to many
>lines. Do i really need this many just to permit traceroute back in?
>
>access-list 102 permit icmp any 192.168.27.128 0.0.0.127
>administratively-prohibited
>access-list 102 permit icmp any 192.168.27.128 0.0.0.127 echo
>access-list 102 permit icmp any 192.168.27.128 0.0.0.127 echo-reply
>access-list 102 permit icmp any 192.168.27.128 0.0.0.127 packet-too-big
>access-list 102 permit icmp any 192.168.27.128 0.0.0.127 time-exceeded
>access-list 102 permit icmp any 192.168.27.128 0.0.0.127 traceroute
>access-list 102 permit icmp any 192.168.27.128 0.0.0.127 unreachable
>access-list 102 deny ip any any
>
>
>
>---------------------------------
>Do you Yahoo!?
>The New Yahoo! Shopping - with improved product search
>
>***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***

• Next message: Ken.Farrington@barclayscapital.com: "RE: BGP BOLD Statements"
• Previous message: ccie2be: "Spanning-tree extend system-id"
• Maybe in reply to: Ralph Simmons: "traceroute problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:39 GMT-3