https://community.cisco.com/t5/network-security/icmp-icmp-error-inspection/m-p/1479085#M681565 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you are using PAT, then certainly you are hitting this bug. But I stated earlier, it is highly recommended to upgrade the code as 7.0 is very old code.</P><P></P><P>Ashu</P></BODY></HTML> Mon, 03 May 2010 20:42:35 GMT astripat 2010-05-03T20:42:35Z https://community.cisco.com/t5/network-security/icmp-icmp-error-inspection/m-p/1479082#M681562 <P>I'm currently running PIX 7.0.4.10 and preparing for an ASA conversion.&nbsp; In anticipation of the move I've been cleaning up the configs and decided to turn on ICMP &amp;ICMP Error Inspection so I could get replace the "permit icmp any any" statement on my outside ACL with a more secure option. </P><P></P><P>However, traceroutes from Windows boxes now only show the first and last hops.&nbsp; I tried clearing the xlate, but still no go.&nbsp; If I add the permit statement back in it works.&nbsp; Isn't ICMP Error Inspection supposed to take care of this?</P><P></P><P></P><P>Am I missing something?</P><P></P><P>Thanks.</P> Mon, 11 Mar 2019 17:40:16 GMT https://community.cisco.com/t5/network-security/icmp-icmp-error-inspection/m-p/1479082#M681562 terrygwazdosky 2019-03-11T17:40:16Z https://community.cisco.com/t5/network-security/icmp-icmp-error-inspection/m-p/1479083#M681563 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>inspect icmp error should take care of the traceroute. However, if it does not work, we can try the following:</P><P></P><P>access-list external_access_in extended permit icmp any any unreachable <BR />access-list external_access_in extended permit icmp any any time-exceeded</P><P></P><P>access-group external_access_in in interface outside</P><P></P><P>policy-map global_policy<BR /> class ttl<BR />&nbsp; set connection decrement-ttl<BR />class-map ttl<BR /> match any</P><P><BR />Try after that and see if traceroute works. If it still fails, then please see if you are using PAT, if so, you might be running into this bug. CSCeg53811&nbsp;&nbsp;&nbsp; Outbound traceroute not working with pat</P><P></P><P>On a sidenote, 7.o is pretty old code and upgrading to 7.2.4 won't be a bad option.</P><P></P><P>HTH</P><P></P><P>Ashu</P></BODY></HTML> Mon, 03 May 2010 19:44:58 GMT https://community.cisco.com/t5/network-security/icmp-icmp-error-inspection/m-p/1479083#M681563 astripat 2010-05-03T19:44:58Z https://community.cisco.com/t5/network-security/icmp-icmp-error-inspection/m-p/1479084#M681564 <HTML><HEAD></HEAD><BODY><P>When I try to access that bug ID I get: <SPAN style="color: #ff0000;">"Information contained within bug ID CSCeg53811 is&nbsp; only available to Cisco employees."</SPAN></P><P></P><P>I am using PAT but I'm going to hold off on upgrading the PIX since I'll be going up to the ASA within a week or so.&nbsp; I'll try it again afterwards.</P><P></P><P>Thanks.</P></BODY></HTML> Mon, 03 May 2010 20:39:47 GMT https://community.cisco.com/t5/network-security/icmp-icmp-error-inspection/m-p/1479084#M681564 terrygwazdosky 2010-05-03T20:39:47Z https://community.cisco.com/t5/network-security/icmp-icmp-error-inspection/m-p/1479085#M681565 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you are using PAT, then certainly you are hitting this bug. But I stated earlier, it is highly recommended to upgrade the code as 7.0 is very old code.</P><P></P><P>Ashu</P></BODY></HTML> Mon, 03 May 2010 20:42:35 GMT https://community.cisco.com/t5/network-security/icmp-icmp-error-inspection/m-p/1479085#M681565 astripat 2010-05-03T20:42:35Z https://community.cisco.com/t5/network-security/icmp-icmp-error-inspection/m-p/1479086#M681566 <HTML><HEAD></HEAD><BODY><P>The bug has to do with the embedded icmp packet in the icmp time exceeded not being overrid by the inspection.</P><P>You will have no issues with the ASA with newer code I bet.</P><P></P><P>I hope it helps.</P><P></P><P>PK</P></BODY></HTML> Mon, 03 May 2010 20:44:38 GMT https://community.cisco.com/t5/network-security/icmp-icmp-error-inspection/m-p/1479086#M681566 Panos Kampanakis 2010-05-03T20:44:38Z https://community.cisco.com/t5/network-security/icmp-icmp-error-inspection/m-p/1479087#M681567 <HTML><HEAD></HEAD><BODY><P>Thanks guys!&nbsp; I spent a few hours troubleshooting this... glad it wasn't just me.&nbsp; <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P></BODY></HTML> Mon, 03 May 2010 20:49:54 GMT https://community.cisco.com/t5/network-security/icmp-icmp-error-inspection/m-p/1479087#M681567 terrygwazdosky 2010-05-03T20:49:54Z https://community.cisco.com/t5/network-security/icmp-icmp-error-inspection/m-p/1479088#M681568 <HTML><HEAD></HEAD><BODY><P>Hi <STRONG style="color: #000000; ">terrygwazdosky</STRONG></P><P></P><P><SPAN style="color: #000000;">In context to your first statement , i would like to tell you that Outbound traceroute requires access-list on the outside interface for time-exceeded and unreachable (for UDP Traceroute) as just enabling ICMP Inspection and ICMP Error inspection in the policy-map <STRONG>wont </STRONG>allow the return traffic from the Upstream / Intermediate hops .</SPAN></P></BODY></HTML> Mon, 03 May 2010 23:34:01 GMT https://community.cisco.com/t5/network-security/icmp-icmp-error-inspection/m-p/1479088#M681568 ankurs2008 2010-05-03T23:34:01Z