Well, the question is not specific, it's from INE workbook, saying that all users on the inside behind the router should be able to send traceroutes. We can only assume that it could be Windows boxes but the actual host behind the firewalling router is the other router where I would make a verification. Hence UDP ports and may be Path MTU discovery as well.
From: Fawad Khan [mailto:[email protected]] Sent: 23 March 2012 12:21 To: Eugene Pefti Cc: Kingsley Charles; [email protected] Subject: Re: [OSL | CCIE_Security] UDP ports for IOS traceroute I use 33434-33534.......... this gives 100 hops......... but 33634 can be used as well for the end-range... however we need to be sure that the question is asking about IOS traceroute and NOT the regular traceroute..... you would need to allow... icmp-unreach icmp-time exceeded and icmp-echo reply through the firewall.......... the easiest way to know what ports are required is to enable logging console warning on the firewall.. it immediately gives the hint of whats getting blocked by the firewall... at the end dont forget to remove the logging console warning statement :). FNK On Fri, Mar 23, 2012 at 2:44 PM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: I already know it, Kings, thanks. Just curious if it can be looked up quickly if I forget. E.g. There's a reference section for protocols and ports numbers under ASA configuration guide. Didn't find anything in there for these traceroute ports. Sent from iPhone On Mar 23, 2012, at 11:22 AM, "Kingsley Charles" <[email protected]<mailto:[email protected]>> wrote: The range 33434 to 33464. With regards Kings On Fri, Mar 23, 2012 at 11:37 PM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: The task asks to explicitly allow traceroutes through the router. We know that if it is Unix or IOS then the traceroute requires UDP ports 33434 open. One of those numbers to memorize. Different sources say that it's not one port but a range and my question is mostly whether we can make do with one port or have to specify the range. Where will I look it up on Cisco documentation? Eugene Sent from iPhone _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
