1. Home
  2. Cisco Systems
  3. Pix - performing traceroute command

Pix - performing traceroute command

Hi,

I have the following setup:

PIX/ASA firewall on public IP address - shielding several other public addresses. Gateway is through another subnet, which has a router to the outside.

In the former firewall, I could do the following:

traceroute ping.aaisp.net.uk: [...]

1 pippin.hodgsonfamily.org (IP of firewall) 2 merry.hodgsonfamily.org (ip of router) 3 Router belonging to the ISP.

I have enabled the inspect ICMP command in the software, and can ping to outside hosts, but traceroutes fail at the first hop (timed-out).

Any suggestions? Thanks. Andrew.

Reply to
Andrew Hodgson
Loading thread data ...

allow inbound ICMP (permit icmp ACL and access-group) and check your log

HTH Martin

Reply to
Martin Bilgrav

Allow icmp unreachable, time-out, parameter-problem, source-quench, and some necessary types more on the outside interface. Newer versions should contain a icmp traceroute option. But notice, that denying icmp is a excellent way to kill a lot of other IP based protocols in several corner cases.

Reply to
Lutz Donnerhacke

I thought this was what the inspect icmp was going to do - it does it for pings - allows inbound connections on an outbound request to that IP.

Andrew.

Reply to
Andrew Hodgson

It seems not enough. Source-Quench, time-out, Unreachable, Parameter-Problem should be allowed too. inspect icmp checks the content of the icmp payload to detect a known flow.

Reply to
Lutz Donnerhacke

Source-Quench is unauthenticated, and could be used as part of a Denial of Service attack.

Reply to
Walter Roberson

A lot of useful communication is not authenticated in the internet.

Reply to
Lutz Donnerhacke

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.