Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
288
Views
0
Helpful
1
Replies

ICMP traceroute out

dpachl
Level 1
Level 1

‎12-14-2006 12:37 PM - edited ‎03-09-2019 05:04 PM

What is the best practice (ACL) to allow ping and traceroute out? Linux and Window clients, ASA5520 Ver.7.2.1 using PAT.

Labels:
0 Helpful
1 Reply 1

m.sir
Level 7
Level 7

‎12-14-2006 01:19 PM

On Linux Systems, traceroute uses UDP packet. The first packet is addressed to udp 33435 and each another packet will is addressed to an incremented port number. so second is 33436 etc...

. So you need permit UDP>33436

But on Windows, traceroute is implemented by sending ICMP Echo packets..So you need permit ICMP echo packet

if you want linux to behave like windows then use the -I flag "Use ICMP ECHO instead of UDP datagrams."

M.

Hope that helps rate if it does

0 Helpful
Customers Also Viewed These Support Documents