cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

376
Views
0
Helpful
4
Replies
corey.mckinney
Beginner

Allowing 'traceroute' through a PIX

This seems pretty juvenile, but how do I allow traceroute from the inside to the dmz. My access list has only the implict rule to allow all higher secured interfaces access to lower secured interfaces. So, all traffic from the inside is being allowed to the dmz. However, a traceroute is stopping at the firewall. Can someone please help???

4 REPLIES 4
mhellman
Rising star

It depends a bit on what kind of host is trying to traceroute, but take a look at this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

Apparently you have to be running V7.0

jgervia_2
Beginner

Hello,

If you're using the implied rules to go from high to low security, then you need to define and access list to allow the icmp messages back in because they are not considered part of the same 'connection'. I'm assuming NAT is not involved.

access-list outside_in permit icmp any any unreachable

access-list outside_in permit icmp any any time-exceeded

access-list outside_in permit icmp any any echo-reply

--Jason

Please rate this message if it solved some or all of your issue/question.

fzamora
Cisco Employee

If you are running 7.x, please add the following commands to your PIX

policy-map global_policy

class inspection_default

inspect icmp error

Reference:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_tx

t/gl.htm#wp1407027

inspect icmp error

To enable application inspection for ICMP error messages, use the inspect icmp error

command in class configuration mode. Class configuration mode is accessible from policy

map configuration mode.

Defaults

This command is disabled by default.

Use the icmp error command to create xlates for intermediate hops that send ICMP error

messages, based on the static/NAT configuration. The security appliance overwrites the

packet with the translated IP addresses.

When enabled, the ICMP error inspection engine makes the following changes to the ICMP

packet:

? In the IP Header, the NAT IP is changed to the Client IP (Destination Address) and the

IP checksum is modified.

? In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet.

? In the Payload, the following changes are made:

- Original packet NAT IP is changed to the Client IP

- Original packet NAT port is changed to the Client Port

- Original packet IP checksum is recalculated

Hope it helps

Franco Zamora

Content for Community-Ad