Am I right to think that a customer firewall is stopping my trace?

Discussion in 'Cisco' started by maxxot2005, May 6, 2005.

  1. maxxot2005

    maxxot2005 Guest

    My equipment is a cisco 2610 IOS c2600-i-mz.122-10b.

    I configured the following static route:
    ip route 172.16.104.0 255.255.254.0 172.16.32.2

    Ethernet 0/0 address is 172.16.32.1/20

    I can ping the gateway 172.16.32.2 and the router is applying the
    static route:
    xxx#sh ip route 172.16.104.0
    Routing entry for 172.16.104.0/23
    Known via "static", distance 1, metric 0
    Redistributing via ospf 99
    Advertised by ospf 99 subnets route-map static_ospf_ge
    Routing Descriptor Blocks:
    * 172.16.32.2
    Route metric is 0, traffic share count is 1

    However a trace to the remote host 172.16.104.12 always fails:
    Tracing the route to 172.16.104.12

    1 * * *
    2 * * *

    No acl seems be blocking my trace on my router:
    xxx#sh ip access-lists
    Standard IP access list 25
    permit 192.168.0.0, wildcard bits 0.0.255.255
    permit 204.231.97.0, wildcard bits 0.0.0.255
    Standard IP access list static_to_ospf_ge
    permit 172.16.48.0, wildcard bits 0.0.1.255 (1 match) check=74
    permit 172.16.50.0, wildcard bits 0.0.1.255 (1 match) check=73
    permit 172.16.104.0, wildcard bits 0.0.1.255 (3 matches) check=70
    permit 172.16.88.0, wildcard bits 0.0.3.255 (10 matches) check=60
    Extended IP access list 101
    deny ospf any any
    permit ip any any (48 matches)

    I asked to the customer to check if this gateway 172.16.32.2 which
    should be a router has implemented some acl that are stopping my trace
    or if there could be a firewall somewhere.Am I right in your opinion?
     
    maxxot2005, May 6, 2005
    #1
    1. Advertisements

  2. :My equipment is a cisco 2610 IOS c2600-i-mz.122-10b.

    :I can ping the gateway 172.16.32.2 and the router is applying the
    :static route:

    :However a trace to the remote host 172.16.104.12 always fails:

    :No acl seems be blocking my trace on my router:

    You might have to specifically enable processing of icmp time-exceeded
    messages on your router. No blocking ACL is necessary if your
    router is throwing away what it gets.

    You should be able to check this by using a packet debug, or putting
    an ACL with a 'log' statement on the return traffic.
     
    Walter Roberson, May 6, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.