We all know that MS traceroute and *nix traceroute work a bit differently. *nix works by sending UDP packets with low ttls to random high UDP ports.
Of course this creates a problem when trying to create an ip6tables rule where I want to allow traceroute. Anyone got something clean that will make this work? This is an example of current drops in my firewall log:
I need to allow traceroute traffic through ASA running version 8.0.2.This traffic is natted. what configuration is required on ASA to allow this natted traceroute traffic.Traffic is coming from inside and going outside.Also can we capture this traceroute traffic on asa using capture feature.
I've got an annoying problem with my ASA 5520.I have traffic going from the inside interface (security level 100) to the outside interface (security level 0) with a global PAT applied to the outside interface address for all inside traffic - and I can't seem to traceroute through the firewall.The ruleset is simple - basically, allow any IP from inside to outside. The NAT is simple - PAT all traffic unless exempted to the IP address of the outside interface.If I do the trace from my internet edge router it works fine - so I know it's not soemthing my uplinks are filtering - but if I do it through the firewall, I get perfect responses until the hop where it hits the firewall interface - then nothing.Is there something I am missing that I need to do to allow traceroute to just work with all the rest of the traffic?
I have been searching to find out how to allow traceroute from an inside host to an outside IP address. I have found a few articles for IOS versions prior to 8.4 but nothing for 8.4. I can traceroute from the CLI of the 5510 just fine but from a windows host on the inside network all I get is Request timed out
Here are two traceroutes both to 82.195.128.132. One results in the name ns1.hosting 365.ie and the other in the name mail.hosting365.ie. Why the difference? [code]
I'm working as a network engineer for a service provider, and we had just gone through a pretty large scale upgrade throughout our network and service.But not long after the upgrade (or maybe ever since the upgrade, we can't confirm this because we probably missed it out due to many other links to be tested), we met a peculiar problem.Everything seems to be running fine most of the time, but there has been some weird 'ghost-like' activity which have been causing inconsistent network disruptions. At times, certain portions of the network can't communicate with other subnets.And most obviously is the problem with a continuous ping and a traceroute simultaneously. Ping is usually normal, but until a traceroute is attempted, it times out at the same time as tracert fails to obtain the route.Besides, performing a ping from the 2nd closest hop address, 10.250.253.251, which is a cisco layer 3 switch also has problems, the results shown are as belowType escape sequence to abort[CODE]
Source--- Router 1 ( ip 1.1.1.1) --ACE---router---cloud---customer---router--destination( ip 99.99.99.99). Traceroute from client to destination shows the following: traceroute 99.99.99.99 traceroute to 99.99.99.99 (99.99.99.99), 30 hops max, 40 byte packets 1 1.1.1.1 (1.1.1.1) 1.10 ms 1.78 ms 2 99.99.99.99 (99.99.99.99) 1.01 ms 1.97 ms 2.511 ms 3 99.99.99.99 (99.99.99.99) 2.01 ms * 99.99.99.99 (99.99.99.99) 2.330 ms
[code]....
So on this, the destination is 99.99.99.99.The first hop is the default gateway, which is 1.1.1.1.After that, the next step is the Cisco ACE.After that there are several hops to the destination.Looks like for some reason the Cisco ACE is not recording his ip.( For any destination traceroute result is the saame.ICMP is allowed in the access list and also ther is ICMP inspect in my config. access-list ICMP line 10 extended permit icmp any
class-map type management match-any abc 201 match protocol ssh source-address X.X.0.0 x.x.0.0 class-map match-all ICMP_allow 2 match access-list ICMP
there is an issue with tracroute from ASA 5505 with 9.0(2) - here is the running configuration [code] with this running configuration - from the LAN tracerouet to public IP, it is working fine. but once I traceroute from the LAN 192.168.225.x to the corporate networks via the IPSec l2l tunnel - it does not show any hop at all - even the inside interface of the ASA does not show in the traceroute.
We have a ASA 5505 and a 5510, that we are using site to site..I need to traceroute from the 5505-5510.. From the outside interfaces.. Don't want to do this through the site-to-site.I have temporarily added a few acl on the outside interfaces..
-access-list outside_in extended permit icmp any any unreachable -access-list outside_in extended permit icmp any any time-exceeded -access-list outside_in extended permit icmp any any echo-reply
when i traceroute it only goes one hop.. Maybe thats the way it suppose to be? I need to know all the hops between the outside interfaces on the 5505 to the outside interface on the 5510.
I've read through netpro and found everyone points to this doc.
[url]....
However that still doesnt allow traceroute through for us. We still see syslogs with deny's on high level random UDP ports to different Internet destinations.
I am encountering an issue with IPv6 trace route both from within LAN as well as on the Cisco router is unable to function beyond the WAN interface of my Cisco 1941 router with IOS v15.x.
Below is the IPv6 Access List: [code] sequence 410 remark Allow Specific Inbound ICMP Types permit icmp any 2001:D98:XXXX::/64 1 3 permit icmp any 2001:D98:XXXX::/64 packet-too-big
To show up the ASA as a hop in a traceroute, one can use the 'set connection decrement-ttl' feature in a policy map.During my tests I recognized, that this behaviour only affects IPv4 traffic.
An IPv6 traceroute still does not show the ASA as a hop.How can I configure the ASA to show up as a hop in an IPv6 traceroute?The ASA is a 5520 with v8.4(1) installed.
=>Routing Protocol in Question EIGRP. =>Two equal metric routes for destination A(through R1 and R2-SVIs on two upstream 6500s)
Traceroute Output, is the output that alternates between 1.1=>10.1=>1.1 normal granted the two routes are "equal metric routes for the same routing procotol in use" or is that "round robin behavior" indicative of a routing problem?
Why does the sx300 series only displays ping and traceroute results in 20ms intervals (see below)? The example in the CLI manual shows "regular" results. These 20ms intervals are not useful for troubleshooting. This is version 1.1.0.73 on an sf300-24. [code]
I have a DI-604 Version E3 D Link router and I'm trying to allow VPN through the router but I'm not exactly sure how. I have the VPN set up through my PC's but I need to configure the router aswell. Trying to set up the VPN so multiple locations can access it,
I'm new to this site, fully Microsoft certified but only just getting in cisco and looking to pass my CCNA later this year. Actual commands and general use on Cisco's im quite good at but general networking knowledge on networking (subnetting and network layers) I kinda suck at so will be studying a lot on this side of things[CODE]
I've recently had to move an AS400 system behind an internal ASA firewall and now users are unable to browse to it.The ASA is running Version 8.2(5)? I get these messages: Sep 11 2012 17:09:59: %ASA-7-710005: UDP request discarded from 172.19.241.35/137 to outside:172.19.241.255/137?Is there a way to enable these ports without enabling NAT?No VPN's involved, just an inside and outside eth interfaces?
When I set a static IP on my device, it works for a short time, then it won't connect again unless I do DHCP. It's like the router chooses an IP for the device, and only allows it to use that one.
The same thing happened a while ago with my desktop, I wanted to set a static IP so I could access it from another building, and the router, being the piece of crap it is, reset all the IPs, and wouldn't allow the computer to connect.D-Link WBR-1310, Hardware B1, Firmware 2.02
I've got an 1841 router acting as the firewall for a LAN. It also does NAT and acts as the dialer for a PPPoE DSL line to the internet.
All is working fine, except now I need to allow a Tivo device to connect to certain ports on the Tivo servers on the internet. I want only the Tivo to be able to do this. The problem is that NAT is happening before my outbound ACL is checked, so even though I've got rules to allow the Tivo's LAN address out on all ports, it never works. I've verified this using a syslog server, and can see my external DSL IP trying to connect to the Tivo servers and being denied.
I've done things like this at work by NATting the appropriate internal host to its own external static IP address, which allows me to write rules allowing only that external address to do stuff. But I don't have multiple external addresses to work with here.
I tried applying my outbound ACL to the LAN interface of the router in the "in" direction (and removing the same ACL from the Dialer interface in the "out" direction), but that broke other things like the router's own ability to ping out to the LAN or to see a TFTP server on the LAN. I could maybe fix all of that with rule changes and inspect statements on traffic going out toward the LAN (not sure of this, think so), but I'm wondering:
Is there a better way to let just the Tivo makes outgoing connections to certain ports?
Config pasted below:
! ! Last configuration change at 17:15:10 CDT Sun Jul 15 2012 ! NVRAM config last updated at 16:27:14 CDT Sun Jul 15 2012 by someguy !
This is actually on my home television network.... Uverse which uses one of those dumb 2wire modem, router, wifi, 4 port 10/100 switch combo devices. it is NOT my internet source. It is just for IPTV services from ATT. Short of replacing the 2wire gateway with a new one from ATT I have a good learning experience question to ask.
I have two switches available at my home to work with on this issue. A EHWIC-8 port Gig Switch in my router and a 24 port 3750E gig switch.
When ever I plug, any port, any cable, both crossover and straight, on the 2wire uverse device into either Cisco switch there are masses of CRC errors generated by the cheapy 2wire thing.
CRC being a layer1 issue in nature I have tried everything short of replacing the 2wire and that is next. There is one caveat.
When the CRC errors are generated and logged on the 3750 it just seems to continue to forward those frames to whereever they need to go regardless albeit a ton of errors.
On the EHWIC 8 port in my 1921 router it seesm to stop forwarding after about 10 secs of encountering CRC errors. What gives? Is there something special command wise that tells a switch to forward frames regardless of CRC errors? Is the 3750 able to deal with them and just forward away and the EHWIC card not able too?
got an old computer to use from a family member and it is not alowing me to connect to the internet. it shows all my wireless connections but wont alow me to connect and use the internet. how do i fix this problem?
I just bought the 655, mainly for school/Xbox. My parents use it also, but I bought it for myself mainly (shh). I set it up correctly and got connected, but suddenly I wasn't allowed Internet access. The router connects to my laptop, but won't get Internet access. I called customer service and he didn't know what to do. We tried everything he knew and nothing worked. I don't want to return the router cause I read it was very good, but I need internet for school. I have Rev. A and F/W 2.00.
We have a cisco 2800 router and are now required to allow users to be able to connect to another company's extranet. Having tried this it wont allow this connection so I have added this to the access-list 101
access-list 101 remark SDM_ACL Category=0 access-list 101 permit ip any host 192.168.0.246 access-list 101 permit ip any host 192.168.0.247
[Code].....
I dont think the gre is being allowed back in. I have attached a cut down copy of the config. I have just general experience of cisco routers and not cisco qualified.
I have got my ccna voice lab configured and is up and running, my switch is configured with 2 differents Vlans (Data & Voice) and the fa 0/1 is configured as trunk port connecting to the CME router. I can telnet or ssh to all the devices on the network but only the switch in not accepting the request the only message I am getting is "request timeout".
We have a customer that is looking to allow only static IP addresses onto the wireless network via the new 5508 we are putting into place. I can see where to require DHCP but not the opposite.
There is a problem with my WLC, it is not allowing an specific client to connect. It gives an 802.1x failure log but I am not using it, anyways the WLC puts this client in the excluded clients list and I didn't add it manually, in fact is a new laptop.
I have a 7100 router that has some servers behind it. I need to translate each server to a public IP. The only thing is that between the outside world and the router is an ASA. We have a small data center where the ASA is connected to a core switch on the inside and the ISP on the outside. How would I do the NAT/PAT translations on the 7100 and then have them pass through the ASA? for example:
I am trying to configure Zone Based Firewall (IOS 15.2T) on Cisco 881 router for IPv6. Current setup is simple:
Zone: LAN --> WAN zone security LAN zone security WAN ! class-map type inspect match-any Internet-cmap match protocol dns match protocol http match protocol https [ code ] ........
Current configuration behaves as expected for IPv4, but blocks all IPv6 traffic. If zone-security is removed from WAN interface IPv6 works normally (connected to Internet). As soon as zone-security is enabled on WAN interface all IPV6 traffic is discarded when connecting to Internet from local LAN.
Error messages on console: Half-open Sessions source destination tcp SIS_OPENING/TCP_SYNSENT
Are there any special settings for ZBF which should be turned on for IPv6 protocol?
I am looking to create an office network with each person having internet access but on a private network. however everyone will need to be able to access a communal printer. would they be able to see it if they were all on a different subnet or would i need to set up vlans?
I recently got a new Toshiba laptop, which works perfectly. We already have an HP desktop PC as well as a Dell laptop, which are both connected to an Ethernet router. When I got my Toshiba, I couldn't connect to the router, whether from a new Internet cable, the cable the Dell uses, or the cable the HP uses (it works perfectly fine with Wifi). The next day I got up early and tried again, and it worked. The HP was turned on, and it connected. But then the Dell wouldn't. Over the next couple days, we realized the problem was that the router only allowed the first two computers that were connected to it to connect to the Internet, but not the third one. The router itself allows eight cables to be plugged into it at a time, so I don't see why it's only allowing two computers, whether laptop or desktop, to connect. Is there a possible solution to this?It's an 8-Port Workgroup Switch, Model EZXS88W.Also, our router DOES NOT support Wifi
a colleague at my university is using an Airport Time Capsule 1TB (Model A1355) to share files with his students wirelessly. The machines are running Leopard 10.5.8 and It works well but it will only allow 20 wireless clients at a time. All the client machines log in with a password. When you remove one of the 20, another can log in.
The tech specs on the Apple website just say that it accepts Wireless guest access and there is no mention of a 20 client limit. I looked right through Airport Utility and couldn't find where the number of wireless clients could be configured.Does anybody know if this is the hard limit for the number of wireless clients for an Airport Time Capsule 1TB (Model A1355)? If it is not a hard limit does anybody know how to change it?