RE: Allowing TraceRoute through an access-list

From: Lee Donald (Lee.Donald@t-systems.co.uk)
Date: Wed Apr 06 2005 - 11:24:43 GMT-3

• Next message: Keane, James: "RE: DHCP - Quick Practice IP SERVICES Question for ya (2%) -"
• Previous message: mani poopal: "RE: Allowing TraceRoute through an access-list"
• Maybe in reply to: Lee Donald: "Allowing TraceRoute through an access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It is a random udp number, ( after debug)

Thanks.

  _____

From: mani poopal [mailto:mani_ccie@yahoo.com]
Sent: 06 April 2005 15:18
To: Lee Donald; ccielab@groupstudy.com
Subject: RE: Allowing TraceRoute through an access-list

Hi Lee,

Sorry, I did not look at you acl befor. Now look at your outbound
access-list, you are only permiting certain types of icmp and not tcp or udp
outbound. According to Brians emai thread yesterday for traceroute,
outbound uses either tcp or udp(random) port number. Try adding permit tcp
any any and udp any any to your existing outbound acl and it should solve
the problem. If you don't want explicitley put those acl, you might need
reflexive acl. As a test add both udp/tcp any any to outbound and check.

thanks

Mani

Lee Donald <Lee.Donald@t-systems.co.uk> wrote:

That doesn't work Mani, if you look down on the email I have those in the
access-list.

I thought it was those 2 aswell ??

Anyone ?

  _____

From: mani poopal [mailto:mani_ccie@yahoo.com]
Sent: 06 April 2005 15:09
To: Lee Donald; ccielab@groupstudy.com
Subject: Re: Allowing TraceRoute through an access-list

Hi Lee,

It is port unreachable and time-exceeded(not ttl-exceeded)

permit icmp any any time-exceeded

permit icmp any any port-unrechables

Mani

Lee Donald <Lee.Donald@t-systems.co.uk> wrote:

I know this is a rather easy thing but I'm having a mental block with
TraceRoute.

I thought you just allow port-unreachable and ttl-exceeded for Cisco trace?
But it's not working, I've tried some of the others but no go.

Exactly which icmp type is it?

My access-list

Any help greatly appreciated.

Extended IP access list INBOUND

10 permit icmp any any ttl-exceeded

20 permit icmp any any port-unreachable

30 permit icmp any any net-unreachable

40 permit icmp any any time-exceeded

Extended IP access list OUTBOUND

10 permit icmp any any ttl-exceeded

20 permit icmp any any port-unreachable

30 permit icmp any any net-unreachable

40 permit icmp any any time-exceeded

Regards

Lee Donald.

• Next message: Keane, James: "RE: DHCP - Quick Practice IP SERVICES Question for ya (2%) -"
• Previous message: mani poopal: "RE: Allowing TraceRoute through an access-list"
• Maybe in reply to: Lee Donald: "Allowing TraceRoute through an access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:54 GMT-3