How to enable TRACEROUTE through a Cisco PIX, ASA

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
In the outside-in access-list (acl_out), make sure that the following
entries are present:
 
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any unreachable
access-list acl_out permit icmp any any echo
access-list acl_out permit icmp any any echo-reply

I've seen the question asked hundreds of times, and since I finally
found how to do it without allowing ALL icmp, I thought I'd share.

Hope it helps!

-J Keegan
j keegan at ctny dot net

 


Re: How to enable TRACEROUTE through a Cisco PIX, ASA

Quoted text here. Click to load it

Not quite. By opening any any echo you have now made your network pingable
from the real world. By adding unreachable you have now given the outside
world the ability you see what addresses you are using. There are only 2
things needed for trace, thats the time-exceeded and echo-reply. I would
recomend that you remove the other 2 for obvious security reasons.


Re: How to enable TRACEROUTE through a Cisco PIX, ASA
Quoted text here. Click to load it

If I want to allow ping, would below be acceptable?

access-list 111 deny icmp any any fragments
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any source-quench
access-list 111 permit icmp any any time-exceeded
access-list 111 deny icmp any any



Re: How to enable TRACEROUTE through a Cisco PIX, ASA

Quoted text here. Click to load it
If that is inbound on your outside interface, you are now wide open on ICMP,
well not WIDE open, but close enough. The ONLY thing you need for you to be
able to ping out is icmp echo-reply. If you want to trace out you need
echo-reply and time-exceeded. Anything more and it's potentially a higher
security risk than needed.


Site Timeline