Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
2
Replies

Stop traceroute capability from outside to inside

SERGIO L
Level 1
Level 1

‎06-06-2001 05:06 PM - edited ‎03-08-2019 08:20 PM

I've disabled PING access from outside to inside on my PIX 520, but I can't stop traceroutes...

Below is the 3 lines I've used to stop PING access from outside to inside and allow PING & traceroutes from inside to outside:

conduit permit icmp any any echo-reply

conduit permit icmp any any unreachable

conduit permit icmp any any time-exceeded

Any suggestions?

Thanks,

Serge

Labels:
0 Helpful
2 Replies 2

p.krane
Level 3
Level 3

‎06-11-2001 02:06 PM

Trace route can use high random UDP ports too. Are you allowing UDP or using the established command in your config? What version of code are you running? Conduits are also processed in the order you see them in the config so if there is something more general permitting it prior, then maybe that’s allowing it. You can use debug icmp trace to see the packets during testing.

0 Helpful

SERGIO L
Level 1
Level 1
In response to p.krane

‎06-11-2001 04:22 PM

I'm not allowing UDP or using the established command. Running IOS 5.1. Don't have any other high random UDP statements listed prior. I thought that the established command was only used for routers not PIX's? You learn something new everyday...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents