https://community.cisco.com/t5/network-security/enable-tracroute-from-dmz-segment/m-p/1555423#M658266 <HTML><HEAD></HEAD><BODY><P>Hello my Dear</P><P></P><P>You are correct, a Cisco IOS box uses UDP for its traceroute, doesn't matter what its tracing to, it will use UDP.</P><P></P><P>But it depends on how far the hop is away, do you know?You might want to increase the range from 33434 to 33464</P><P></P><P><span class="lia-unicode-emoji" title=":winking_face:">😉</span></P></BODY></HTML> Tue, 07 Sep 2010 22:38:29 GMT golly_wog 2010-09-07T22:38:29Z https://community.cisco.com/t5/network-security/enable-tracroute-from-dmz-segment/m-p/1555420#M658229 <P>Hello Dear's,</P><P></P><P>I m trying to traceroute internal server from DMZ segment which is connected to remote branches, i have enabled time-exceeded,and echo-reply,it doesn't work,also I tried by enabling unreacheable,and <STRONG style="color: #ff0000; ">Access-list DMZ extended permit icmp any any</STRONG> but stil doesn't work,</P><P></P><P>Traceroute from internal to DMZ server is working by <STRONG style="color: #ff0000; ">"time-exceeded"</STRONG> but it can't be done from DMZ segment to internal server.</P><P></P><P>When i have enabled <STRONG style="color: #ff0000; ">Access-list DMZ extended permit UDP any any</STRONG>&nbsp; it works but it doesnt show the firewall hop.I m aware the firewall HOP is shown by the destination address but it is shows me the " * "&nbsp; rather than the destination.</P><P></P><P>which UDP ports i have to enable to allow traceroute.</P><P></P><P></P><P><BR />Thanks.</P> Mon, 11 Mar 2019 18:35:59 GMT https://community.cisco.com/t5/network-security/enable-tracroute-from-dmz-segment/m-p/1555420#M658229 estelamathew 2019-03-11T18:35:59Z https://community.cisco.com/t5/network-security/enable-tracroute-from-dmz-segment/m-p/1555421#M658248 <HTML><HEAD></HEAD><BODY><P>Is it a linux/unix box in DMZ that you are using for traceroute ?, Linux/Unix uses UDP datagrams for traceroute with destination ports numbering from 33434 to 33534 (usually), so you may want to open relevant UDP ports, check in logs and captures which exact ports</P><P></P><P>Regarding why firewall not showing its interface as the hop, refer:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395966">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395966</A></P><P></P><P>---regards</P></BODY></HTML> Tue, 07 Sep 2010 09:57:20 GMT https://community.cisco.com/t5/network-security/enable-tracroute-from-dmz-segment/m-p/1555421#M658248 abinjola 2010-09-07T09:57:20Z https://community.cisco.com/t5/network-security/enable-tracroute-from-dmz-segment/m-p/1555422#M658256 <HTML><HEAD></HEAD><BODY><P>Hello Dear's,</P><P></P><P>I m tracing from cisco router which is located in branch office that passess through DMZ interface of ASA. I m trying to do trace from branch router to internal windows Server, then why the UDP is neccessary here,i have read about UDP is necessary for Linux nd Unix Box but i m tracing to windows server.I have tried by enabling the same UDP ports as mentioned by you but still i m not able to trace but when i do UDP any any then the traceroute works.</P><P></P><P>Thanks.</P></BODY></HTML> Tue, 07 Sep 2010 20:50:59 GMT https://community.cisco.com/t5/network-security/enable-tracroute-from-dmz-segment/m-p/1555422#M658256 estelamathew 2010-09-07T20:50:59Z https://community.cisco.com/t5/network-security/enable-tracroute-from-dmz-segment/m-p/1555423#M658266 <HTML><HEAD></HEAD><BODY><P>Hello my Dear</P><P></P><P>You are correct, a Cisco IOS box uses UDP for its traceroute, doesn't matter what its tracing to, it will use UDP.</P><P></P><P>But it depends on how far the hop is away, do you know?You might want to increase the range from 33434 to 33464</P><P></P><P><span class="lia-unicode-emoji" title=":winking_face:">😉</span></P></BODY></HTML> Tue, 07 Sep 2010 22:38:29 GMT https://community.cisco.com/t5/network-security/enable-tracroute-from-dmz-segment/m-p/1555423#M658266 golly_wog 2010-09-07T22:38:29Z https://community.cisco.com/t5/network-security/enable-tracroute-from-dmz-segment/m-p/1555424#M658282 <HTML><HEAD></HEAD><BODY><P>to find out exact port use packet capture command on DMZ</P><P></P><P>access-list abc permit udp host <ROUTER> host <SERVER on="" inside=""></SERVER></ROUTER></P><P>capture cpz access-l abc interface DMZ</P><P></P><P>now traceroute and do show cap cpz</P><P></P><P>this will tell you what exact UDP ports you need</P></BODY></HTML> Wed, 08 Sep 2010 04:32:44 GMT https://community.cisco.com/t5/network-security/enable-tracroute-from-dmz-segment/m-p/1555424#M658282 abinjola 2010-09-08T04:32:44Z https://community.cisco.com/t5/network-security/enable-tracroute-from-dmz-segment/m-p/1555425#M658312 <HTML><HEAD></HEAD><BODY><P>Thanks Dear,</P><P></P><P>I found the ports 33455,33456,33457,</P><P></P><P>Thank&nbsp; u once more for ur kind reply</P></BODY></HTML> Wed, 08 Sep 2010 06:27:36 GMT https://community.cisco.com/t5/network-security/enable-tracroute-from-dmz-segment/m-p/1555425#M658312 estelamathew 2010-09-08T06:27:36Z https://community.cisco.com/t5/network-security/enable-tracroute-from-dmz-segment/m-p/1555426#M658327 <HTML><HEAD></HEAD><BODY><P>I am glad I could help</P></BODY></HTML> Wed, 08 Sep 2010 06:32:51 GMT https://community.cisco.com/t5/network-security/enable-tracroute-from-dmz-segment/m-p/1555426#M658327 abinjola 2010-09-08T06:32:51Z