04-01-2009 08:20 PM - edited 03-04-2019 04:11 AM
I want to create an acl to permit traceroute. But I see two different types
of the icmp commands for traceroute. Which pair is correct?
>
> permit icmp any any ttl-exceed
> permit icmp any any port-unreachable
or permit icmp any any traceroute
04-01-2009 08:41 PM
Rupesh,
To make sure that I will get any response from Linux,Cisco or Windows box.
permit icmp any any ttl-exceed
permit icmp any any port-unreachable
permit icmp any any echo-reply
This is all about inbound direction.
Toshi
04-01-2009 09:08 PM
What is the meaning of permit icmp any any traceroute ?
04-01-2009 09:28 PM
Rupesh,
I'm not sure about that command. Actually it's a different type and code for ICMP.
So It's not all in one command to include things like ttl-exceed and port-unreachable.
Type 0 Echo-reply
Type 3 Destination-unreachable
Code 0 network-unreachable
Code 1 host-unreachable
Code 2 protocol-unreachable
Code 3 port-unreachable
Code 4 fragmentation-needed
Code 5 source-route-failed
Code 6 network-unknown
Code 7 host-unknown
Code 8 network-prohibited
Code 9 host-prohibited
Code 10 TOS-network-unreachable
Code 11 TOS-host-unreachable
Code 12 communication-prohibited
Code 13 host-precedence-violation
Code 14 precedence-cutoff
Type 11 Time-exceeded
Code 0 ttl-zero-during-transit
Code 1 ttl-zero-during-reassembly
Type 30 Traceroute
Toshi
04-01-2009 09:50 PM
thanks for your efforts. I think you are write as I have never seen traceroute keyword in acl.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: