ACL entry allowing tracert and traceroute

Discussion in 'Cisco' started by aleu, Dec 1, 2008.

  1. aleu

    aleu Guest

    Hi all,

    I have a switch with multiple VLANs on it. Each VLAN has a corresponding
    ACL ending with the following line:

    deny ip any any log

    I would like to permit tracert and traceroute comands to be executed on
    the servers that reside on my public VLAN. However, when I execute these
    commands I can see that their packets are being denied by the ACL on
    this VLAN. I thought that I would simply add the following line:

    permit icmp any any

    Unfortunately, this does not work as the packets are being dropped.

    The systems that reside on this VLAN are both Microsoft Windows 2003
    server and UNIX machines. I have found a post on the internet saying
    that UNIX and Cisco traceroute send UDP packets and Windows TRACERT
    sends ICMP. In both cases the returning packets are only ICMP. For
    TRACERT, you need to add the following to your ACL (before the last
    entry denying everything, of course):

    permit icmp any any echo-reply

    However, this does not seem to work. Please let me know what do I need
    to add to my configuration to allow packets of these two commands.

    Thank you,
    AL
     
    aleu, Dec 1, 2008
    #1
    1. Advertisements

  2. aleu

    Trendkill Guest

    Are you just adding it to the existing, or are you creating a new,
    putting in the permit icmp statements up earlier in the ACL, and then
    having the implicit deny at the end. Sometimes, simply adding lines
    adds them below the deny and therefore they will not work. That way,
    you need to create a new ACL (add 1 to the number or something but
    make sure you are modifying an existing ACL), then modify the acl
    statement on the vlan to use the new ACL. Let us know how you fare.
     
    Trendkill, Dec 1, 2008
    #2
    1. Advertisements

  3. aleu

    aleu Guest

    Yes, I am adding it to an existing ACL. However, I made sure to insert
    it before the "deny ip any any" statement.

    Thanks,
    AL
     
    aleu, Dec 1, 2008
    #3
  4. aleu

    bod43 Guest

    "permit icmp any any echo-reply"
    is not the correct thing for your purpose.

    For the replies:-

    unix traceroute needs
    permit icmp any any time-exceeded ! for the intermediate hops
    permit icmp any any unreachable ! for the final dest
    (udp port unreachable is what is required but I am not sure
    if that can be specified to that level of detail)

    Windows tracert needs
    permit icmp any any time-exceeded ! for the intermediate hops
    permit icmp any any echo-reply ! for the final dest.

    Above is from memory and details may not be exact.

    If you change your deny to log the matched packets
    deny ip any any log
    you will see the denied packets in the log.

    I am not sure but it may be that the ICMP packet
    type and command are logged and you can then
    look them up.

    failing that :-
    deb ip packet ! BEWARE possible HIGH CPU

    debugs can (and WILL) render routers non-functional
    you need to be prepared for that or very carefully
    limit the debug output perhaps with access-lists.
     
    bod43, Dec 2, 2008
    #4
  5. aleu

    Andrew Lutov Guest

    Hello, bod43!

    b> For the replies:-

    b> unix traceroute needs
    b> permit icmp any any time-exceeded ! for the intermediate hops
    b> permit icmp any any unreachable ! for the final dest
    b> (udp port unreachable is what is required but I am not sure
    b> if that can be specified to that level of detail)

    man traceroute:

    ....
    -p Protocol specific. For UDP and TCP, sets the base port
    number
    used in probes (default is 33434). Traceroute hopes that
    noth-
    ing is listening on UDP ports base to base + nhops - 1 at
    the
    destination host (so an ICMP PORT_UNREACHABLE message will
    be
    returned to terminate the route tracing). If something is
    lis-
    tening on a port in the default range, this option can be
    used
    to pick an unused port range.
    ....

    33434 + 3 * 30(hops)=33524, i.e. from 33434 to 33523.
     
    Andrew Lutov, Dec 2, 2008
    #5
  6. aleu

    aleu Guest

    I have added all three entries at the beginning of my ACL definition,
    but it did not work. The only way it works for me is when I add the
    "permit udp any any" entry (I am running traceroute from a UNIX system.)

    Please let me know how to address this, because it is driving me nuts!
     
    aleu, Dec 4, 2008
    #6
  7. aleu

    aleu Guest

    Andrew, help me out here. What am I supposed to look for?
     
    aleu, Dec 4, 2008
    #7
  8. aleu

    Andrew Lutov Guest

    Hello, !

    a> Andrew Lutov wrote:
    ??>> And again for Unix (Linux/FreeBSD): "man traceroute"

    a> Andrew, help me out here. What am I supposed to look for?

    See my previous message.

    Or again:

    man traceroute:

    ....
    -p Set the base UDP port number used in probes (default is 33434).
    Traceroute hopes that nothing is listening on UDP ports base to
    base + nhops - 1 at the destination host (so an ICMP
    PORT_UNREACHABLE message will be returned to terminate the route
    tracing). If something is listening on a port in the default
    range, this option can be used to pick an unused port range.


    33434 + 3 * 30(hops)=33524, i.e. from 33434 to 33523.

    "
    permit udp any range 33434 33523 any

    or

    permit udp any any range 33434 33523
    "
     
    Andrew Lutov, Dec 4, 2008
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.