11-10-2006 01:36 PM - edited 02-21-2020 01:18 AM
This seems pretty juvenile, but how do I allow traceroute from the inside to the dmz. My access list has only the implict rule to allow all higher secured interfaces access to lower secured interfaces. So, all traffic from the inside is being allowed to the dmz. However, a traceroute is stopping at the firewall. Can someone please help???
11-10-2006 03:36 PM
It depends a bit on what kind of host is trying to traceroute, but take a look at this:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml
11-28-2006 12:38 PM
Apparently you have to be running V7.0
11-28-2006 05:11 PM
Hello,
If you're using the implied rules to go from high to low security, then you need to define and access list to allow the icmp messages back in because they are not considered part of the same 'connection'. I'm assuming NAT is not involved.
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any echo-reply
--Jason
Please rate this message if it solved some or all of your issue/question.
11-28-2006 09:04 PM
If you are running 7.x, please add the following commands to your PIX
policy-map global_policy
class inspection_default
inspect icmp error
Reference:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_tx
t/gl.htm#wp1407027
inspect icmp error
To enable application inspection for ICMP error messages, use the inspect icmp error
command in class configuration mode. Class configuration mode is accessible from policy
map configuration mode.
Defaults
This command is disabled by default.
Use the icmp error command to create xlates for intermediate hops that send ICMP error
messages, based on the static/NAT configuration. The security appliance overwrites the
packet with the translated IP addresses.
When enabled, the ICMP error inspection engine makes the following changes to the ICMP
packet:
? In the IP Header, the NAT IP is changed to the Client IP (Destination Address) and the
IP checksum is modified.
? In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet.
? In the Payload, the following changes are made:
- Original packet NAT IP is changed to the Client IP
- Original packet NAT port is changed to the Client Port
- Original packet IP checksum is recalculated
Hope it helps
Franco Zamora
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide