Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Stop traceroute capability from outside to inside

I've disabled PING access from outside to inside on my PIX 520, but I can't stop traceroutes...

Below is the 3 lines I've used to stop PING access from outside to inside and allow PING & traceroutes from inside to outside:

conduit permit icmp any any echo-reply

conduit permit icmp any any unreachable

conduit permit icmp any any time-exceeded

Any suggestions?

Thanks,

Serge

2 REPLIES
New Member

Re: Stop traceroute capability from outside to inside

Trace route can use high random UDP ports too. Are you allowing UDP or using the established command in your config? What version of code are you running? Conduits are also processed in the order you see them in the config so if there is something more general permitting it prior, then maybe that’s allowing it. You can use debug icmp trace to see the packets during testing.

New Member

Re: Stop traceroute capability from outside to inside

I'm not allowing UDP or using the established command. Running IOS 5.1. Don't have any other high random UDP statements listed prior. I thought that the established command was only used for routers not PIX's? You learn something new everyday...

126
Views
0
Helpful
2
Replies