At 04:50 AM 12/4/01, Engelhard M. Labiro wrote: >Ciscos ( & Unixes) use ICMP time-exceeded reply
All trace route implementations return ICMP time-exceeded. That's how it works. It's also not too relevant since it's probably the incoming packets he's more concerned about. Cisco (and Unix) are different from Microsoft in that the incoming trace route packets from these operating systems are UDP packets to a port number in the 33,000 - 43,000 range. Windows sends pings. Priscilla >to the host that doing traceroute, so not return >icmp time-exceeded or drop all the icmp packet >would be better, eg: >access-list 101 deny icmp any any and assign it >to the interface to the Internet. > > > Can someone share with me the experience in > > configuring ACL to deny trace route from the Internet > > to the internal network. I am wondering what ports to > > deny as it keeps changing. ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=28087&t=28047 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
