https://community.cisco.com/t5/network-security/pix-7-0-can-no-longer-traceroute-outside/m-p/391850#M558839 <HTML><HEAD></HEAD><BODY><P>Thanks Binh, looks like it's fixed now. I indeed had to enable "inspect icmp error" to get traceroute's working again.</P></BODY></HTML> Thu, 28 Apr 2005 15:31:57 GMT rwhite 2005-04-28T15:31:57Z https://community.cisco.com/t5/network-security/pix-7-0-can-no-longer-traceroute-outside/m-p/391848#M558837 <P>Hi all,</P><P></P><P>I have a PIX 515E that we recently upgraded to 128mb RAM and PIX 7.0. At the very top of our inbound access list, we have the following lines to enable people on our LAN to be able to traceroute to the internet:</P><P></P><P>access-list outside_access_in line 1 remark Allow ICMP echo-replies</P><P>access-list outside_access_in line 2 extended permit icmp any any echo-reply</P><P>access-list outside_access_in line 3 remark Allow ICMP traceroute</P><P>access-list outside_access_in line 4 extended permit icmp any any traceroute</P><P>access-list outside_access_in line 5 remark Permit ICMP unreachables</P><P>access-list outside_access_in line 6 extended permit icmp any any unreachable</P><P>access-list outside_access_in line 7 remark Permit ICMP time-exceeded</P><P>access-list outside_access_in line 8 extended permit icmp any any time-exceeded</P><P></P><P>This all worked fine before the upgrade, where we were previously running 6.3(3). Now after the upgrade, traceroutes and MTR's from *nix or Windows no longer work. I have another PIX running 6.3(3) in parallel that still works fine.</P><P></P><P>Is this a bug in the new 7.0 software? Or is there something new I need to enable to get this working with 7.0?</P><P></P><P>Thanks,</P><P></P><P>-ryan.</P> Fri, 21 Feb 2020 08:06:48 GMT https://community.cisco.com/t5/network-security/pix-7-0-can-no-longer-traceroute-outside/m-p/391848#M558837 rwhite 2020-02-21T08:06:48Z https://community.cisco.com/t5/network-security/pix-7-0-can-no-longer-traceroute-outside/m-p/391849#M558838 <HTML><HEAD></HEAD><BODY><P>Hello Ryan:</P><P></P><P>Have you tried enabling inspection for ICMP and see if that works?</P><P></P><P>Please also upload your 7.0 config for analysis.</P><P></P><P>See release notes for PIX 7.0 code below as regards to ICMP inspection.</P><P></P><P></P><P>----</P><P>Version 7.0(1) introduces an ICMP inspection engine. This engine enables secure usage of</P><P>ICMP, by providing stateful tracking for ICMP connections, matching echo requests with</P><P>replies. Additional controls are available for ICMP error messages, which are only</P><P>permitted for established connections.</P><P></P><P>Use the inspect icmp and the inspect icmp error commands to configure the ICMP inspection</P><P>engine.</P><P></P><P></P><P>For a complete description of the command syntax, see the Cisco PIX Security Appliance Command</P><P>Reference. </P><P></P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186</A></P><P>a00803f0f4c.html</P><P></P><P>Command reference:</P><P></P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer</A></P><P>ence_chapter09186a00803dfa9b.html</P><P></P><P>Thanks,</P><P>Binh</P></BODY></HTML> Thu, 28 Apr 2005 06:10:56 GMT https://community.cisco.com/t5/network-security/pix-7-0-can-no-longer-traceroute-outside/m-p/391849#M558838 bphan 2005-04-28T06:10:56Z https://community.cisco.com/t5/network-security/pix-7-0-can-no-longer-traceroute-outside/m-p/391850#M558839 <HTML><HEAD></HEAD><BODY><P>Thanks Binh, looks like it's fixed now. I indeed had to enable "inspect icmp error" to get traceroute's working again.</P></BODY></HTML> Thu, 28 Apr 2005 15:31:57 GMT https://community.cisco.com/t5/network-security/pix-7-0-can-no-longer-traceroute-outside/m-p/391850#M558839 rwhite 2005-04-28T15:31:57Z