Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Traceroute Port

Hi,

Whenever a client would do a trace from their network to one of their server colocated to our network, an asterisk would appear just when the IP of that server should appear. Those servers are all behind Pix535. Obviously the Pix blocks such request. I wonder what port should i open to get desired result. Any help will be greatly appreciated.

5 REPLIES
Community Member

Re: Traceroute Port

PC trace route or tracert uses icmp. you need to permit icmp type 8 and type 0 (echo and echo-reply)

Community Member

Re: Traceroute Port

Hi,

I have actually done exactly what you suggest. I permitted icmp type 0 and 8 on both interfaces ( outside and perimeter1) since I am doing a static NAT from perimeter1 to outside interface. But traceroute still doesn't go through. Any more ideas? Thanks...

Community Member

Re: Traceroute Port

Anybody who like to help? Thanks.

Community Member

Re: Traceroute Port

You must permit outbound UDP packets (enable by default) and permit ICMP packets in, this packets should be ICMP type 11, code 0 (time to live exceeded in transit) and ICMP type 3, code 3 (destination unreachable, port unreachable ). For more information take a look at.

http://www.cisco.com/warp/public/63/ping_traceroute.html

Community Member

Re: Traceroute Port

Hi fmadar,

thanks for the white paper. it helped me analyze my configuration to achive what i wanted, and i did!

245
Views
0
Helpful
5
Replies
CreatePlease to create content