×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Traceroute Port

Unanswered Question
Apr 17th, 2002
User Badges:

Hi,


Whenever a client would do a trace from their network to one of their server colocated to our network, an asterisk would appear just when the IP of that server should appear. Those servers are all behind Pix535. Obviously the Pix blocks such request. I wonder what port should i open to get desired result. Any help will be greatly appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srittenberg Wed, 04/17/2002 - 20:27
User Badges:

PC trace route or tracert uses icmp. you need to permit icmp type 8 and type 0 (echo and echo-reply)

jtornea Wed, 04/17/2002 - 22:13
User Badges:

Hi,


I have actually done exactly what you suggest. I permitted icmp type 0 and 8 on both interfaces ( outside and perimeter1) since I am doing a static NAT from perimeter1 to outside interface. But traceroute still doesn't go through. Any more ideas? Thanks...

fmadar Mon, 04/22/2002 - 08:06
User Badges:

You must permit outbound UDP packets (enable by default) and permit ICMP packets in, this packets should be ICMP type 11, code 0 (time to live exceeded in transit) and ICMP type 3, code 3 (destination unreachable, port unreachable ). For more information take a look at.

http://www.cisco.com/warp/public/63/ping_traceroute.html


jtornea Mon, 04/22/2002 - 18:10
User Badges:

Hi fmadar,


thanks for the white paper. it helped me analyze my configuration to achive what i wanted, and i did!

Actions

This Discussion