Pix - performing traceroute command

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hi,

I have the following setup:

PIX/ASA firewall on public IP address - shielding several other public
addresses.  Gateway is through another subnet, which has a router to
the outside.

In the former firewall, I could do the following:

traceroute ping.aaisp.net.uk:
[...]
1    pippin.hodgsonfamily.org (IP of firewall)
2    merry.hodgsonfamily.org (ip of router)
3    Router belonging to the ISP.

I have enabled the inspect ICMP command in the software, and can ping
to outside hosts, but traceroutes fail at the first hop (timed-out).

Any suggestions?
Thanks.
Andrew.

Re: Pix - performing traceroute command
* Andrew Hodgson wrote:
Quoted text here. Click to load it

Allow icmp unreachable, time-out, parameter-problem, source-quench, and some
necessary types more on the outside interface. Newer versions should contain
a icmp traceroute option. But notice, that denying icmp is a excellent way
to kill a lot of other IP based protocols in several corner cases.

Re: Pix - performing traceroute command
allow inbound ICMP (permit icmp ACL and access-group) and check your log


HTH
Martin

Quoted text here. Click to load it



Re: Pix - performing traceroute command
On Tue, 8 May 2007 20:54:06 +0200, "Martin Bilgrav"

Quoted text here. Click to load it

I thought this was what the inspect icmp was going to do - it does it
for pings - allows inbound connections on an outbound request to that
IP.

Andrew.

Re: Pix - performing traceroute command
* Andrew Hodgson wrote:
Quoted text here. Click to load it

It seems not enough. Source-Quench, time-out, Unreachable, Parameter-Problem
should be allowed too. inspect icmp checks the content of the icmp payload
to detect a known flow.

Re: Pix - performing traceroute command
Quoted text here. Click to load it

Source-Quench is unauthenticated, and could be used as part of
a Denial of Service attack.


Re: Pix - performing traceroute command
* Walter Roberson wrote:
Quoted text here. Click to load it

A lot of useful communication is not authenticated in the internet.

Site Timeline