From: Vishal Patel (vpatel@accessproviders.com.au)
Date: Tue Jun 21 2005 - 04:39:34 GMT-3
Guys,
Sorry in my previous mail the config was not in proper order,
My doubt is when a user on the LAN tries to go out of tunnel 55 for 0.0.0.0
route , will the packet have a source IP of tunnel IP address ( 10.250.3.1)
or will it have the source ip as the tunnel source IP address.(dialer
interface IP address)
I will send again:
Whittlesea-1712#sh run
Building configuration...
Current configuration : 2655 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Whittlesea-1712
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
no ip domain lookup
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Tunnel55
description **** To 530-Collins ****
ip address 10.250.3.1 255.255.255.252
ip nat outside
tunnel source Dialer1
tunnel destination 202.130.198.241
!
interface Tunnel66
description **** To TNH ****
ip address 172.28.252.2 255.255.255.252
tunnel source Dialer1
tunnel destination 202.130.198.242
!
!
interface FastEthernet0
description **** To Wireless-Internet-EMIS ****
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
!
interface Vlan1
description Internal-Interface
ip address 172.28.207.1 255.255.255.224
ip helper-address 172.28.160.27
ip helper-address 172.28.224.9
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1300
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxx
ppp chap password xxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Tunnel 55
ip route 202.130.198.0 255.255.255.0 dialer 1
ip route 172.28.0.0 255.255.0.0 Tunnel66
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface Dialer1 overload
!
!
access-list 100 deny ip 172.28.207.0 0.0.0.127 172.28.209.128 0.0.0.127
access-list 100 deny ip 172.28.207.0 0.0.0.127 172.28.211.96 0.0.0.31
access-list 100 deny ip 172.28.207.0 0.0.0.127 172.28.211.64 0.0.0.31
access-list 100 deny ip 172.28.207.0 0.0.0.127 172.28.160.0 0.0.3.255
access-list 100 permit ip 172.28.207.0 0.0.0.127 any
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password Access
login
!
end
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of John
Matus
Sent: Tuesday, 21 June 2005 3:24 PM
To: Brian Dennis; Group Study
Subject: Re: icmp - time-exceeded vs ttl-exceeded
brian..........i completely AGREE with you....i was just poking fun. i do
believe the best way to learn is to "lab-it-up", but unfortunaley some of us
don't have a personal rack we can just jump on and check things out on a
whim. i really wish i did. we have to wait for our lab-time to check stuff
out and usually we are doing (IE) labs and (i) often forget or don't have a
chance to test out little things.
Regards,
John D. Matus
MCSE, CCNP
Office: 818-782-2061
Cell: 818-430-8372
jmatus@pacbell.net
----- Original Message -----
From: "Brian Dennis" <bdennis@internetworkexpert.com>
To: "John Matus" <jmatus@pacbell.net>; "Group Study"
<ccielab@groupstudy.com>
Sent: Monday, June 20, 2005 9:33 PM
Subject: RE: icmp - time-exceeded vs ttl-exceeded
John,
You just need a PC and Ethereal (download free from
http://www.ethereal.com) to test this out.
Are we really helping if we just tell someone the answer? Part
of the CCIE preparation is learning how to solve problems. This is a
great one for somebody to solve. You would be amazed at the number of
networking engineers that can't tell you how traceroute works.
Lastly I'll bet that the socratic method is better for CCIE
preparation than the "spoon fed" method ;-)
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: John Matus [mailto:jmatus@pacbell.net]
Sent: Monday, June 20, 2005 8:56 PM
To: Brian Dennis; ccie2be; Group Study
Subject: Re: icmp - time-exceeded vs ttl-exceeded
being a philosphy major in college <wonders that did for my
marketability>,
i really despize socratic method/dialogue!!! :-p
it would be great if we all had labs to just "test stuff out on" hehehe
Regards,
John D. Matus
MCSE, CCNP
Office: 818-782-2061
Cell: 818-430-8372
jmatus@pacbell.net
----- Original Message -----
From: "Brian Dennis" <bdennis@internetworkexpert.com>
To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
<ccielab@groupstudy.com>
Sent: Monday, June 20, 2005 3:37 PM
Subject: RE: icmp - time-exceeded vs ttl-exceeded
> Tim,
> Did you think about trying the options out?
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Monday, June 20, 2005 3:25 PM
> To: Brian Dennis; 'Group Study'
> Subject: RE: icmp - time-exceeded vs ttl-exceeded
>
> Hi Brian,
>
> As you suggested I did look through the archives and found some
> interesting
> things that refreshed my memory about reflexive acl's and Traceroute
in
> general.
>
> But, none of the posts I could find talked about the difference
between
> time-exceeded vs ttl-exceeded.
>
> I accept the fact that I need to permit time-exceeded to fulfill the
> tasks
> in IE lab 2 and 3, but I'm still curious as to the difference between
> these
> 2 icmp options.
>
> My hope is that if I really knew the difference, it would be easier to
> remember which one to use under the pressure of the lab.
>
> Thanks, Tim
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Brian Dennis
> Sent: Monday, June 20, 2005 5:31 PM
> To: ccie2be; Group Study
> Subject: RE: icmp - time-exceede vs ttl-exceeded
>
> Tim,
> You should search the archive as there was a long discussion on
> this topic about a year ago. Also as far as using the traceroute
option
> for the ICMP type, if you understand how traceroute works you'll know
> why you don't use it.
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie2be
> Sent: Monday, June 20, 2005 2:02 PM
> To: Group Study
> Subject: icmp - time-exceede vs ttl-exceeded
>
> Hi guys,
>
> Let's assume I want to configure a reflexive acl which allows
Traceroute
> packets back in.
>
> I'm trying to make sure I select the correct icmp type packet to allow
> back-in. But, when I do the following I see lots of options.
>
> R5(config)#access-list 101 perm icmp any any ?
> <0-255> ICMP message type
> administratively-prohibited Administratively prohibited
> alternate-address Alternate address
> conversion-error Datagram conversion
> dod-host-prohibited Host prohibited
> dod-net-prohibited Net prohibited
> dscp Match packets with given dscp value
> echo Echo (ping)
> echo-reply Echo reply
> fragments Check non-initial fragments
> general-parameter-problem Parameter problem
> host-isolated Host isolated
> host-precedence-unreachable Host unreachable for precedence
> host-redirect Host redirect
> host-tos-redirect Host redirect for TOS
> host-tos-unreachable Host unreachable for TOS
> host-unknown Host unknown
> host-unreachable Host unreachable
> information-reply Information replies
> information-request Information requests
> log Log matches against this entry
> log-input Log matches against this entry,
including
> input
> interface
> mask-reply Mask replies
> mask-request Mask requests
> mobile-redirect Mobile host redirect
> net-redirect Network redirect
> net-tos-redirect Net redirect for TOS
> net-tos-unreachable Network unreachable for TOS
> net-unreachable Net unreachable
> network-unknown Network unknown
> no-room-for-option Parameter required but no room
> option-missing Parameter required but not present
> packet-too-big Fragmentation needed and DF set
> parameter-problem All parameter problems
> port-unreachable Port unreachable
> precedence Match packets with given precedence
value
> precedence-unreachable Precedence cutoff
> protocol-unreachable Protocol unreachable
> reassembly-timeout Reassembly timeout
> redirect All redirects
> router-advertisement Router discovery advertisements
> router-solicitation Router discovery solicitations
> source-quench Source quenches
> source-route-failed Source route failed
>
>
> time-exceeded All time exceededs <-----
> **************
>
>
> time-range Specify a time-range
> timestamp-reply Timestamp replies
> timestamp-request Timestamp requests
> tos Match packets with given TOS value
>
>
> traceroute Traceroute
> <-----------#############
>
>
> ttl-exceeded TTL exceeded
> <-------------*****************
>
>
>
> unreachable All unreachables
> <cr>
>
>
> Notice how similar the 2 "starred" options look. What's the
difference
> between these 2 options?
>
> Also, if I need to allow Traceroute back-in, why wouldn't I use the
> traceroute option?
>
> TIA, Tim
>
>
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:42 GMT-3