From: Patrick Aland (paland@gmail.com)
Date: Wed Jul 27 2005 - 12:09:44 GMT-3
Your acl is requiring your dst port to be gt 34433 but in your debug
the dst is 33435 (less than 34433), causing your ACL to not match and
thus be denied
On 7/27/05, gladston@br.ibm.com <gladston@br.ibm.com> wrote:
> Would you believe this?
>
> Vlan map is matching access-list 111.
>
> These does not allow (wrongly) traceroute to 148.5.15.5
>
> access-list 111 permit icmp any any
> access-list 111 permit udp any any gt 34433
> access-list 111 deny ip any any
>
> R8#trace 148.5.15.5
>
> Type escape sequence to abort.
> Tracing the route to 148.5.15.5
>
> 1 * * *
> 2 * * *
> 3 * * *
>
> Adding this make it works:
>
> access-list 111 permit udp any gt 34433 a
>
> R8#trace 148.5.15.5
>
> Type escape sequence to abort.
> Tracing the route to 148.5.15.5
>
> 1 148.5.26.2 4 msec 4 msec 4 msec
> 2 148.5.235.5 4 msec * 4 msec
>
> It does not make sense. What I can think is that IOS is not considering the source UDP valid, although it could be any value with the acl 'access-list 111 permit udp any any gt 34433'
>
> Debug shows that traceroute is using a source port that should pass the command 'access-list 111 permit udp any any gt 34433':
>
> *Mar 1 02:57:39: IP: s=148.5.26.100 (local), d=148.5.15.5 (Ethernet0), len 28, sending
> *Mar 1 02:57:39: UDP src=38582, dst=33435 *
>
> I should not get surprised with IOS results anymore.
>
> Sometimes the only way to find a problem is trying things that considers IOS is not working right.
>
> Version is C3550-I5Q3L2-M, 12.1(20)EA1a
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- --Patrick
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:31 GMT-3