RE: Allowing TraceRoute through an access-list

From: mani poopal (mani_ccie@yahoo.com)
Date: Wed Apr 06 2005 - 11:17:52 GMT-3

• Next message: Lee Donald: "RE: Allowing TraceRoute through an access-list"
• Previous message: Lee Donald: "RE: Allowing TraceRoute through an access-list"
• Maybe in reply to: Lee Donald: "Allowing TraceRoute through an access-list"
• Next in thread: Lee Donald: "RE: Allowing TraceRoute through an access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Lee,
 
Sorry, I did not look at you acl befor. Now look at your outbound access-list, you are only permiting certain types of icmp and not tcp or udp outbound. According to Brians emai thread yesterday for traceroute, outbound uses either tcp or udp(random) port number. Try adding permit tcp any any and udp any any to your existing outbound acl and it should solve the problem. If you don't want explicitley put those acl, you might need reflexive acl. As a test add both udp/tcp any any to outbound and check.
 
thanks
 
Mani

Lee Donald <Lee.Donald@t-systems.co.uk> wrote:
v\:* {behavior:url(#default#VML);}o\:* {behavior:url(#default#VML);}w\:* {behavior:url(#default#VML);}.shape {behavior:url(#default#VML);}st1\:*{behavior:url(#default#ieooui) }
That doesnt work Mani, if you look down on the email I have those in the access-list.

I thought it was those 2 aswell ??

Anyone ?

---------------------------------

From: mani poopal [mailto:mani_ccie@yahoo.com]
Sent: 06 April 2005 15:09
To: Lee Donald; ccielab@groupstudy.com
Subject: Re: Allowing TraceRoute through an access-list

Hi Lee,

It is port unreachable and time-exceeded(not ttl-exceeded)

permit icmp any any time-exceeded

permit icmp any any port-unrechables

Mani

Lee Donald <Lee.Donald@t-systems.co.uk> wrote:

I know this is a rather easy thing but I'm having a mental block with
TraceRoute.

I thought you just allow port-unreachable and ttl-exceeded for Cisco trace?
But it's not working, I've tried some of the others but no go.

Exactly which icmp type is it?

My access-list

Any help greatly appreciated.

Extended IP access list INBOUND

10 permit icmp any any ttl-exceeded

20 permit icmp any any port-unreachable

30 permit icmp any any net-unreachable

40 permit icmp any any time-exceeded

Extended IP access list OUTBOUND

10 permit icmp any any ttl-exceeded

20 permit icmp any any port-unreachable

30 permit icmp any any net-unreachable

40 permit icmp any any time-exceeded

Regards

Lee Donald.

• Next message: Lee Donald: "RE: Allowing TraceRoute through an access-list"
• Previous message: Lee Donald: "RE: Allowing TraceRoute through an access-list"
• Maybe in reply to: Lee Donald: "Allowing TraceRoute through an access-list"
• Next in thread: Lee Donald: "RE: Allowing TraceRoute through an access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:54 GMT-3