Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
4
Replies

Allowing 'traceroute' through a PIX

corey.mckinney
Level 1
Level 1

‎11-10-2006 01:36 PM - edited ‎02-21-2020 01:18 AM

This seems pretty juvenile, but how do I allow traceroute from the inside to the dmz. My access list has only the implict rule to allow all higher secured interfaces access to lower secured interfaces. So, all traffic from the inside is being allowed to the dmz. However, a traceroute is stopping at the firewall. Can someone please help???

0 Helpful
4 Replies 4

mhellman
Level 7
Level 7

‎11-10-2006 03:36 PM

It depends a bit on what kind of host is trying to traceroute, but take a look at this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

0 Helpful

todd.kelly
Level 1
Level 1
In response to mhellman

‎11-28-2006 12:38 PM

Apparently you have to be running V7.0

0 Helpful

jgervia_2
Level 1
Level 1

‎11-28-2006 05:11 PM

Hello,

If you're using the implied rules to go from high to low security, then you need to define and access list to allow the icmp messages back in because they are not considered part of the same 'connection'. I'm assuming NAT is not involved.

access-list outside_in permit icmp any any unreachable

access-list outside_in permit icmp any any time-exceeded

access-list outside_in permit icmp any any echo-reply

--Jason

Please rate this message if it solved some or all of your issue/question.

0 Helpful

fzamora
Cisco Employee
Cisco Employee

‎11-28-2006 09:04 PM

If you are running 7.x, please add the following commands to your PIX

policy-map global_policy

class inspection_default

inspect icmp error

Reference:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_tx

t/gl.htm#wp1407027

inspect icmp error

To enable application inspection for ICMP error messages, use the inspect icmp error

command in class configuration mode. Class configuration mode is accessible from policy

map configuration mode.

Defaults

This command is disabled by default.

Use the icmp error command to create xlates for intermediate hops that send ICMP error

messages, based on the static/NAT configuration. The security appliance overwrites the

packet with the translated IP addresses.

When enabled, the ICMP error inspection engine makes the following changes to the ICMP

packet:

? In the IP Header, the NAT IP is changed to the Client IP (Destination Address) and the

IP checksum is modified.

? In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet.

? In the Payload, the following changes are made:

- Original packet NAT IP is changed to the Client IP

- Original packet NAT port is changed to the Client Port

- Original packet IP checksum is recalculated

Hope it helps

Franco Zamora

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card