This seems pretty juvenile, but how do I allow traceroute from the inside to the dmz. My access list has only the implict rule to allow all higher secured interfaces access to lower secured interfaces. So, all traffic from the inside is being allowed to the dmz. However, a traceroute is stopping at the firewall. Can someone please help???
It depends a bit on what kind of host is trying to traceroute, but take a look at this:
If you're using the implied rules to go from high to low security, then you need to define and access list to allow the icmp messages back in because they are not considered part of the same 'connection'. I'm assuming NAT is not involved.
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any echo-reply
Please rate this message if it solved some or all of your issue/question.
If you are running 7.x, please add the following commands to your PIX
inspect icmp error
inspect icmp error
To enable application inspection for ICMP error messages, use the inspect icmp error
command in class configuration mode. Class configuration mode is accessible from policy
map configuration mode.
This command is disabled by default.
Use the icmp error command to create xlates for intermediate hops that send ICMP error
messages, based on the static/NAT configuration. The security appliance overwrites the
packet with the translated IP addresses.
When enabled, the ICMP error inspection engine makes the following changes to the ICMP
? In the IP Header, the NAT IP is changed to the Client IP (Destination Address) and the
IP checksum is modified.
? In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet.
? In the Payload, the following changes are made:
- Original packet NAT IP is changed to the Client IP
- Original packet NAT port is changed to the Client Port
- Original packet IP checksum is recalculated
Hope it helps