https://community.cisco.com/t5/network-security/traceroute/m-p/1560928#M635634 <HTML><HEAD></HEAD><BODY><P></P><DIV><P>The firewall will not respond how in traceroutes unless you have the decrement-ttl option.</P><P>The ASA can do that, but you can't fix it with the PIX/FWSM because they will not decrement the ttl and thus will "hide" from the traceroute.</P><P></P><P>I hope it is clear.</P><P></P><P>PK</P></DIV><P></P></BODY></HTML> Thu, 21 Oct 2010 17:53:09 GMT Panos Kampanakis 2010-10-21T17:53:09Z https://community.cisco.com/t5/network-security/traceroute/m-p/1560925#M635553 <P>Hello,</P><P></P><P>I am trying to allow FWSMs and PIXs to appear in traceroutes.&nbsp; It works on an ASA pair that I manage, but I have no luck with the FWSMs and the PIXs.</P><P></P><P>The only command that the ASAs have that the other firewalls don't is "set connection decrement-ttl".</P><P></P><P>All of the interface's ACLs have "icmp any any echo-reply", "icmp any any time-exceeded ", and "icmp any any unreachable".</P><P></P><P>Also "icmp permit any <EM>interface name</EM>" is configured for all interfaces.</P><P></P><P>The only difference is there is no option for "set connection decrement-ttl" on the FWSM/PIXs in their global policy-maps.</P><P></P><P>FWSM Firewall Version 4.0(12) and&nbsp; Cisco PIX Security Appliance Software Version 7.0(7)</P><P></P><P>I have been using <A href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#trace" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#trace</A> as a guide.</P><P></P><P>Thanks,</P><P></P><P>Any help would be much appreciated.</P> Mon, 11 Mar 2019 18:57:46 GMT https://community.cisco.com/t5/network-security/traceroute/m-p/1560925#M635553 stuartcox79 2019-03-11T18:57:46Z https://community.cisco.com/t5/network-security/traceroute/m-p/1560926#M635580 <HTML><HEAD></HEAD><BODY><P>Hi Stuart,</P><P></P><P>Can you paste the config and tell me what is the model of the Pix firewall?</P><P></P><P>Cheers</P><P></P><P>Mike</P></BODY></HTML> Wed, 20 Oct 2010 22:24:02 GMT https://community.cisco.com/t5/network-security/traceroute/m-p/1560926#M635580 Maykol Rojas 2010-10-20T22:24:02Z https://community.cisco.com/t5/network-security/traceroute/m-p/1560927#M635619 <HTML><HEAD></HEAD><BODY><P>I can't post the config, but I have all the relevant parts of the config in the previous post.</P><P></P><P>The PIXs are 535s and the FWSMs are WS-SVC-FWM-1s.</P></BODY></HTML> Thu, 21 Oct 2010 14:57:48 GMT https://community.cisco.com/t5/network-security/traceroute/m-p/1560927#M635619 stuartcox79 2010-10-21T14:57:48Z https://community.cisco.com/t5/network-security/traceroute/m-p/1560928#M635634 <HTML><HEAD></HEAD><BODY><P></P><DIV><P>The firewall will not respond how in traceroutes unless you have the decrement-ttl option.</P><P>The ASA can do that, but you can't fix it with the PIX/FWSM because they will not decrement the ttl and thus will "hide" from the traceroute.</P><P></P><P>I hope it is clear.</P><P></P><P>PK</P></DIV><P></P></BODY></HTML> Thu, 21 Oct 2010 17:53:09 GMT https://community.cisco.com/t5/network-security/traceroute/m-p/1560928#M635634 Panos Kampanakis 2010-10-21T17:53:09Z