I m trying to traceroute internal server from DMZ segment which is connected to remote branches, i have enabled time-exceeded,and echo-reply,it doesn't work,also I tried by enabling unreacheable,and Access-list DMZ extended permit icmp any any but stil doesn't work,
Traceroute from internal to DMZ server is working by "time-exceeded" but it can't be done from DMZ segment to internal server.
When i have enabled Access-list DMZ extended permit UDP any any it works but it doesnt show the firewall hop.I m aware the firewall HOP is shown by the destination address but it is shows me the " * " rather than the destination.
which UDP ports i have to enable to allow traceroute.
I am glad I could help
to find out exact port use packet capture command on DMZ
access-list abc permit udp host host
capture cpz access-l abc interface DMZ
now traceroute and do show cap cpz
this will tell you what exact UDP ports you need
Is it a linux/unix box in DMZ that you are using for traceroute ?, Linux/Unix uses UDP datagrams for traceroute with destination ports numbering from 33434 to 33534 (usually), so you may want to open relevant UDP ports, check in logs and captures which exact ports
Regarding why firewall not showing its interface as the hop, refer: