Filtering with Extended ACLs

Hello community,

I'm just trying to understand why a traceroute from R8 to R6 won't get response back. If traceroute uses UDP range 33434 - 33464 then my logic says the return traffic would be to allow UDP sourced from those ports but it doesn't seem to be working:

R4(config)#do sh access-l
Extended IP access list INBOUND
    10 permit tcp any 150.1.0.0 0.0.255.255 established
    20 permit tcp any 155.1.146.0 0.0.0.255 range ftp-data ftp
    30 permit tcp any 155.1.146.0 0.0.0.255 eq www
    40 permit udp any 155.1.146.0 0.0.0.255 eq snmp
    50 permit udp any 155.1.146.0 0.0.0.255 eq snmptrap
    60 permit tcp any 155.1.146.0 0.0.0.255 eq 162
    70 permit udp any 155.1.146.0 0.0.0.255 eq domain
    80 permit tcp any 155.1.146.0 0.0.0.255 eq domain
    90 permit udp any any eq rip (27 matches)
    100 permit icmp any any echo
    110 permit icmp any any echo-reply
    120 permit udp any any range 33434 33464 (13 matches)
    130 permit udp any range 33434 33464 any
    140 permit icmp any any packet-too-big
    150 deny icmp any any unreachable
    160 deny ip any any
Extended IP access list OUTBOUND
    10 permit tcp 150.1.0.0 0.0.255.255 any
    20 permit tcp 155.1.146.0 0.0.0.255 range ftp-data ftp any
    30 permit tcp 155.1.146.0 0.0.0.255 eq www any
    40 permit udp 155.1.146.0 0.0.0.255 eq snmp any
    50 permit udp 155.1.146.0 0.0.0.255 eq snmptrap any
    60 permit tcp 155.1.146.0 0.0.0.255 eq 162 any
    70 permit udp 155.1.146.0 0.0.0.255 eq domain any
    80 permit tcp 155.1.146.0 0.0.0.255 eq domain any
    90 permit icmp any any echo
    100 permit icmp any any echo-reply
    110 permit udp any any range 33434 33464
    120 permit udp any range 33434 33464 any
    130 permit icmp any any packet-too-big
    140 deny icmp any any unreachable (7 matches)
    150 deny ip any any

 

Traceroute from R8:

R8(config)#do trace 155.1.146.6

Type escape sequence to abort.
Tracing the route to 155.1.146.6
VRF info: (vrf in name/id, vrf out name/id)
  1 155.1.58.5 4 msec 0 msec 0 msec
  2 155.1.0.4 16 msec 20 msec 16 msec
  3  *  *  *
  4  *  *  *

UDP debug from R6:

R6#
*Sep  7 08:11:54.012: UDP: rcvd src=155.1.58.8(49217), dst=155.1.146.6(33442), length=8

It clearly shows R8 is using UDP destination port 33442 which matches the INBOUND entry #120 so R6 should be replying from source UDP 33442 and match OUTBOUND entry #120 but instead it seems to be matching OUTBOUND entry #140 (deny icmp any any unreachable). Why is this?

Thanks in advance

Comments

Sign In or Register to comment.