How to enable TRACEROUTE through a Cisco PIX, ASA
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by Joseph Keegan on September 17, 2007, 11:46 pm
Please log in for more thread options entries are present: access-list acl_out permit icmp any any time-exceeded access-list acl_out permit icmp any any unreachable access-list acl_out permit icmp any any echo access-list acl_out permit icmp any any echo-reply I've seen the question asked hundreds of times, and since I finally found how to do it without allowing ALL icmp, I thought I'd share. Hope it helps! -J Keegan j keegan at ctny dot net | |||||||||||||
|
Posted by Brian V on September 18, 2007, 6:15 am
Please log in for more thread options Not quite. By opening any any echo you have now made your network pingable from the real world. By adding unreachable you have now given the outside world the ability you see what addresses you are using. There are only 2 things needed for trace, thats the time-exceeded and echo-reply. I would recomend that you remove the other 2 for obvious security reasons. | |||||||||||||
|
Posted by itchibahn on September 27, 2007, 8:22 pm
Please log in for more thread options >
>> In the outside-in access-list (acl_out), make sure that the following
>> entries are present: >> >> access-list acl_out permit icmp any any time-exceeded >> access-list acl_out permit icmp any any unreachable >> access-list acl_out permit icmp any any echo >> access-list acl_out permit icmp any any echo-reply >> >> I've seen the question asked hundreds of times, and since I finally >> found how to do it without allowing ALL icmp, I thought I'd share. >> >> Hope it helps! >> >> -J Keegan >> j keegan at ctny dot net >> > Not quite. By opening any any echo you have now made your network pingable
> from the real world. By adding unreachable you have now given the outside > world the ability you see what addresses you are using. There are only 2 > things needed for trace, thats the time-exceeded and echo-reply. I would > recomend that you remove the other 2 for obvious security reasons. If I want to allow ping, would below be acceptable? access-list 111 deny icmp any any fragments access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any source-quench access-list 111 permit icmp any any time-exceeded access-list 111 deny icmp any any | |||||||||||||
|
Posted by Brian V on September 27, 2007, 11:34 pm
Please log in for more thread options
>>
>>> In the outside-in access-list (acl_out), make sure that the following
>>> entries are present: >>> >>> access-list acl_out permit icmp any any time-exceeded >>> access-list acl_out permit icmp any any unreachable >>> access-list acl_out permit icmp any any echo >>> access-list acl_out permit icmp any any echo-reply >>> >>> I've seen the question asked hundreds of times, and since I finally >>> found how to do it without allowing ALL icmp, I thought I'd share. >>> >>> Hope it helps! >>> >>> -J Keegan >>> j keegan at ctny dot net >>> >> Not quite. By opening any any echo you have now made your network
>> pingable from the real world. By adding unreachable you have now given >> the outside world the ability you see what addresses you are using. There >> are only 2 things needed for trace, thats the time-exceeded and >> echo-reply. I would recomend that you remove the other 2 for obvious >> security reasons. >
If that is inbound on your outside interface, you are now wide open on ICMP,
> If I want to allow ping, would below be acceptable? > > access-list 111 deny icmp any any fragments > access-list 111 permit icmp any any echo > access-list 111 permit icmp any any echo-reply > access-list 111 permit icmp any any packet-too-big > access-list 111 permit icmp any any source-quench > access-list 111 permit icmp any any time-exceeded > access-list 111 deny icmp any any > well not WIDE open, but close enough. The ONLY thing you need for you to be able to ping out is icmp echo-reply. If you want to trace out you need echo-reply and time-exceeded. Anything more and it's potentially a higher security risk than needed. | |||||||||||||
> entries are present:
>
> access-list acl_out permit icmp any any time-exceeded
> access-list acl_out permit icmp any any unreachable
> access-list acl_out permit icmp any any echo
> access-list acl_out permit icmp any any echo-reply
>
> I've seen the question asked hundreds of times, and since I finally
> found how to do it without allowing ALL icmp, I thought I'd share.
>
> Hope it helps!
>
> -J Keegan
> j keegan at ctny dot net
>
>