04-01-2009 08:20 PM - edited 03-04-2019 04:11 AM
I want to create an acl to permit traceroute. But I see two different types
of the icmp commands for traceroute. Which pair is correct?
>
> permit icmp any any ttl-exceed
> permit icmp any any port-unreachable
or permit icmp any any traceroute
04-01-2009 08:41 PM
Rupesh,
To make sure that I will get any response from Linux,Cisco or Windows box.
permit icmp any any ttl-exceed
permit icmp any any port-unreachable
permit icmp any any echo-reply
This is all about inbound direction.
Toshi
04-01-2009 09:08 PM
What is the meaning of permit icmp any any traceroute ?
04-01-2009 09:28 PM
Rupesh,
I'm not sure about that command. Actually it's a different type and code for ICMP.
So It's not all in one command to include things like ttl-exceed and port-unreachable.
Type 0 Echo-reply
Type 3 Destination-unreachable
Code 0 network-unreachable
Code 1 host-unreachable
Code 2 protocol-unreachable
Code 3 port-unreachable
Code 4 fragmentation-needed
Code 5 source-route-failed
Code 6 network-unknown
Code 7 host-unknown
Code 8 network-prohibited
Code 9 host-prohibited
Code 10 TOS-network-unreachable
Code 11 TOS-host-unreachable
Code 12 communication-prohibited
Code 13 host-precedence-violation
Code 14 precedence-cutoff
Type 11 Time-exceeded
Code 0 ttl-zero-during-transit
Code 1 ttl-zero-during-reassembly
Type 30 Traceroute
Toshi
04-01-2009 09:50 PM
thanks for your efforts. I think you are write as I have never seen traceroute keyword in acl.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide