Access-list....HELP Please.

[cmstanphill]

I have a access-list that allows any ICMP to come in. Which it works kinda. If I am doing a tracert for a DOS window it seems to make it there just fine but if I goto anothor router it does no it * out and says its alive.
Any ideas?
Thanks

 

[ChrisAC]

You've allowed icmp and so a tracert from DOS will work. But, is you trace from a router it uses UDP and so this will be blocked unless you specifically let it in! Remember that your ACL will have an implicit deny statement at the end.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[wybnormal]

Ahmmm... traceroute uses both ICMP and UDP.. doesnt matter if it's a PC or a router. It uses UDP on the way out and ICMP on the way back. The UDP is the request and controls the hop count of the packet. THe ICMP has the *error code* to be parsed at the workstation to give you the results.

PING uses ICMP only which is why ping does not return any hosts in the middle of the trace.. just the results from the target.

I've glossed over quite a bit but this is the general idea.

http://www.faqs.org/rfcs/rfc1393.html

http://www.faqs.org/rfcs/rfc1574.html

And much more then you could want to know ;-)
::snip::
The Traceroute packet struct opacket (38 bytes) contains the IP header
struct ip (20 bytes) and UDP header struct udphdr (8 bytes).
:::Snip::

MikeS
Find me at

http://www.packetattack.com

"The trouble with giving up civil rights is that you never get them back"