ACL entry allowing tracert and traceroute

Are you just adding it to the existing, or are you creating a new, putting in the permit icmp statements up earlier in the ACL, and then having the implicit deny at the end. Sometimes, simply adding lines adds them below the deny and therefore they will not work. That way, you need to create a new ACL (add 1 to the number or something but make sure you are modifying an existing ACL), then modify the acl statement on the vlan to use the new ACL. Let us know how you fare.

Yes, I am adding it to an existing ACL. However, I made sure to insert it before the "deny ip any any" statement.

Thanks, AL

"permit icmp any any echo-reply" is not the correct thing for your purpose.

For the replies:-

unix traceroute needs permit icmp any any time-exceeded ! for the intermediate hops permit icmp any any unreachable ! for the final dest (udp port unreachable is what is required but I am not sure if that can be specified to that level of detail)

Windows tracert needs permit icmp any any time-exceeded ! for the intermediate hops permit icmp any any echo-reply ! for the final dest.

Above is from memory and details may not be exact.

If you change your deny to log the matched packets deny ip any any log you will see the denied packets in the log.

I am not sure but it may be that the ICMP packet type and command are logged and you can then look them up.

failing that :- deb ip packet ! BEWARE possible HIGH CPU

debugs can (and WILL) render routers non-functional you need to be prepared for that or very carefully limit the debug output perhaps with access-lists.

Hello, bod43!

b> For the replies:-

b> unix traceroute needs b> permit icmp any any time-exceeded ! for the intermediate hops b> permit icmp any any unreachable ! for the final dest b> (udp port unreachable is what is required but I am not sure b> if that can be specified to that level of detail)

man traceroute:

... -p Protocol specific. For UDP and TCP, sets the base port number used in probes (default is 33434). Traceroute hopes that noth- ing is listening on UDP ports base to base + nhops - 1 at the destination host (so an ICMP PORT_UNREACHABLE message will be returned to terminate the route tracing). If something is lis- tening on a port in the default range, this option can be used to pick an unused port range. ...

I have added all three entries at the beginning of my ACL definition, but it did not work. The only way it works for me is when I add the "permit udp any any" entry (I am running traceroute from a UNIX system.)

Please let me know how to address this, because it is driving me nuts!

Hello, snipped-for-privacy@vp.pl!

a> bod43 wrote: ??>> unix traceroute needs ??>> permit icmp any any time-exceeded ! for the intermediate hops ??>> permit icmp any any unreachable ! for the final dest ??>>

??>> Windows tracert needs ??>> permit icmp any any time-exceeded ! for the intermediate hops ??>> permit icmp any any echo-reply ! for the final dest.

a> I have added all three entries at the beginning of my ACL definition, a> but it did not work. The only way it works for me is when I add the a> "permit udp any any" entry (I am running traceroute from a UNIX system.)

And again for Unix (Linux/FreeBSD): "man traceroute"

Andrew, help me out here. What am I supposed to look for?

Hello, snipped-for-privacy@vp.pl!

a> Andrew Lutov wrote: ??>> And again for Unix (Linux/FreeBSD): "man traceroute"

a> Andrew, help me out here. What am I supposed to look for?

See my previous message.

Or again:

man traceroute:

...

-p Set the base UDP port number used in probes (default is 33434). Traceroute hopes that nothing is listening on UDP ports base to base + nhops - 1 at the destination host (so an ICMP PORT_UNREACHABLE message will be returned to terminate the route tracing). If something is listening on a port in the default range, this option can be used to pick an unused port range.

" permit udp any range 33434 33523 any

or

permit udp any any range 33434 33523 "