Ciscos ( & Unixes) use ICMP time-exceeded reply to the host that doing traceroute, so not return icmp time-exceeded or drop all the icmp packet would be better, eg: access-list 101 deny icmp any any and assign it to the interface to the Internet.
> Can someone share with me the experience in > configuring ACL to deny trace route from the Internet > to the internal network. I am wondering what ports to > deny as it keeps changing. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=28049&t=28047 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
