Hi all,
I have a switch with multiple VLANs on it. Each VLAN has a corresponding ACL ending with the following line:
deny ip any any log
I would like to permit tracert and traceroute comands to be executed on the servers that reside on my public VLAN. However, when I execute these commands I can see that their packets are being denied by the ACL on this VLAN. I thought that I would simply add the following line:
permit icmp any any
Unfortunately, this does not work as the packets are being dropped.
The systems that reside on this VLAN are both Microsoft Windows 2003 server and UNIX machines. I have found a post on the internet saying that UNIX and Cisco traceroute send UDP packets and Windows TRACERT sends ICMP. In both cases the returning packets are only ICMP. For TRACERT, you need to add the following to your ACL (before the last entry denying everything, of course):
permit icmp any any echo-reply
However, this does not seem to work. Please let me know what do I need to add to my configuration to allow packets of these two commands.
Thank you, AL