cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1430
Views
0
Helpful
5
Replies

Traceroute Port

jtornea
Level 1
Level 1

Hi,

Whenever a client would do a trace from their network to one of their server colocated to our network, an asterisk would appear just when the IP of that server should appear. Those servers are all behind Pix535. Obviously the Pix blocks such request. I wonder what port should i open to get desired result. Any help will be greatly appreciated.

5 Replies 5

srittenberg
Level 1
Level 1

PC trace route or tracert uses icmp. you need to permit icmp type 8 and type 0 (echo and echo-reply)

jtornea
Level 1
Level 1

Hi,

I have actually done exactly what you suggest. I permitted icmp type 0 and 8 on both interfaces ( outside and perimeter1) since I am doing a static NAT from perimeter1 to outside interface. But traceroute still doesn't go through. Any more ideas? Thanks...

jtornea
Level 1
Level 1

Anybody who like to help? Thanks.

You must permit outbound UDP packets (enable by default) and permit ICMP packets in, this packets should be ICMP type 11, code 0 (time to live exceeded in transit) and ICMP type 3, code 3 (destination unreachable, port unreachable ). For more information take a look at.

http://www.cisco.com/warp/public/63/ping_traceroute.html

Hi fmadar,

thanks for the white paper. it helped me analyze my configuration to achive what i wanted, and i did!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: