https://community.cisco.com/t5/network-security/allowing-traceroute-through-pix/m-p/805142#M963800 <HTML><HEAD></HEAD><BODY><P>Just add the following to your outside interface:</P><P></P><P>access-list <NAME> permit icmp any any echo-reply</NAME></P><P>access-list <NAME> permit icmp any any unreachable</NAME></P><P>access-list <NAME> permit icmp any any time-exceeded</NAME></P><P>access-group <NAME> in interface outside</NAME></P><P></P><P>** <NAME> can be anything you want for the outside interface**</NAME></P><P></P><P>save with write mem and also issue claer xlate</P><P></P><P>pls rate posts if it helps.</P></BODY></HTML> Thu, 06 Sep 2007 11:40:43 GMT jmia 2007-09-06T11:40:43Z https://community.cisco.com/t5/network-security/allowing-traceroute-through-pix/m-p/805138#M963794 <P>What is required to allow a traceroute to go through the PIX firewall? I believe I have it setup correctly, but I'm still unable to trace through. It just times out when it gets to the firewall. Thanks.</P> Mon, 11 Mar 2019 11:07:19 GMT https://community.cisco.com/t5/network-security/allowing-traceroute-through-pix/m-p/805138#M963794 corey.mckinney 2019-03-11T11:07:19Z https://community.cisco.com/t5/network-security/allowing-traceroute-through-pix/m-p/805139#M963795 <HTML><HEAD></HEAD><BODY><P>Use this ACL applied to your outside interface.</P><P></P><P>access-list "ACLNAME" permit icmp any any time-exceeded</P></BODY></HTML> Wed, 05 Sep 2007 21:38:17 GMT https://community.cisco.com/t5/network-security/allowing-traceroute-through-pix/m-p/805139#M963795 cewhitnel 2007-09-05T21:38:17Z https://community.cisco.com/t5/network-security/allowing-traceroute-through-pix/m-p/805140#M963796 <HTML><HEAD></HEAD><BODY><P>How do I apply that ACL to the interface? I can't find the command.</P></BODY></HTML> Wed, 05 Sep 2007 22:11:49 GMT https://community.cisco.com/t5/network-security/allowing-traceroute-through-pix/m-p/805140#M963796 corey.mckinney 2007-09-05T22:11:49Z https://community.cisco.com/t5/network-security/allowing-traceroute-through-pix/m-p/805141#M963798 <HTML><HEAD></HEAD><BODY><P>access-group "access list name" in interface outside</P><P></P></BODY></HTML> Thu, 06 Sep 2007 10:31:03 GMT https://community.cisco.com/t5/network-security/allowing-traceroute-through-pix/m-p/805141#M963798 mkkeyan 2007-09-06T10:31:03Z https://community.cisco.com/t5/network-security/allowing-traceroute-through-pix/m-p/805142#M963800 <HTML><HEAD></HEAD><BODY><P>Just add the following to your outside interface:</P><P></P><P>access-list <NAME> permit icmp any any echo-reply</NAME></P><P>access-list <NAME> permit icmp any any unreachable</NAME></P><P>access-list <NAME> permit icmp any any time-exceeded</NAME></P><P>access-group <NAME> in interface outside</NAME></P><P></P><P>** <NAME> can be anything you want for the outside interface**</NAME></P><P></P><P>save with write mem and also issue claer xlate</P><P></P><P>pls rate posts if it helps.</P></BODY></HTML> Thu, 06 Sep 2007 11:40:43 GMT https://community.cisco.com/t5/network-security/allowing-traceroute-through-pix/m-p/805142#M963800 jmia 2007-09-06T11:40:43Z