ACL ( Access Control List ) entry allowing tracert and traceroute

[Daljeet]

I have a switch with multiple VLANs on it. Each VLAN has a corresponding ACL ending with the following line:

deny ip any any log

I would like to permit tracert and traceroute comands to be executed on the servers that reside on my public VLAN. However, when I execute these commands I can see that their packets are being denied by the ACL on this VLAN. I thought that I would simply add the following line:

permit icmp any any

Unfortunately, this does not work as the packets are being dropped.

The systems that reside on this VLAN are both Microsoft Windows 2003 server and UNIX machines. I have found a post on the internet saying that UNIX and Cisco traceroute send UDP packets and Windows TRACERT sends ICMP. In both cases the returning packets are only ICMP. For TRACERT, you need to add the following to your ACL (before the last entry denying everything, of course):

permit icmp any any echo-reply

However, this does not seem to work. Please let me know what do I need to add to my configuration to allow packets of these two commands.
Thank you,

[Marco-D]

Are you just adding it to the existing, or are you creating a new, putting in the permit icmp statements up earlier in the ACL, and then having the implicit deny at the end. Sometimes, simply adding lines adds them below the deny and therefore they will not work. That way, you need to create a new ACL (add 1 to the number or something but make sure you are modifying an existing ACL), then modify the acl statement on the vlan to use the new ACL. Let us know how you fare.

[Daljeet]

Yes, I am adding it to an existing ACL. However, I made sure to insert it before the "deny ip any any" statement.

Thanks,

[Marco-D]

Quote:

Originally Posted by Daljeet

Yes, I am adding it to an existing ACL. However, I made sure to insert it before the "deny ip any any" statement.

Thanks,

"permit icmp any any echo-reply" is not the correct thing for your purpose.

For the replies:-

unix traceroute needs permit icmp any any time-exceeded ! for the intermediate hops permit icmp any any unreachable ! for the final dest (udp port unreachable is what is required but I am not sure if that can be specified to that level of detail) Windows tracert needs permit icmp any any time-exceeded ! for the intermediate hops permit icmp any any echo-reply ! for the final dest. Above is from memory and details may not be exact. If you change your deny to log the matched packets deny ip any any log you will see the denied packets in the log. I am not sure but it may be that the ICMP packet type and command are logged and you can then look them up.

failing that :-
deb ip packet ! BEWARE possible HIGH CPU

debugs can (and WILL) render routers non-functional you need to be prepared for that or very carefully limit the debug output perhaps with access-lists.