Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
5
Helpful
2
Replies

PIX 7.0 can no longer traceroute outside?

rwhite
Level 1
Level 1

‎04-27-2005 04:10 PM - edited ‎02-21-2020 12:06 AM

Hi all,

I have a PIX 515E that we recently upgraded to 128mb RAM and PIX 7.0. At the very top of our inbound access list, we have the following lines to enable people on our LAN to be able to traceroute to the internet:

access-list outside_access_in line 1 remark Allow ICMP echo-replies

access-list outside_access_in line 2 extended permit icmp any any echo-reply

access-list outside_access_in line 3 remark Allow ICMP traceroute

access-list outside_access_in line 4 extended permit icmp any any traceroute

access-list outside_access_in line 5 remark Permit ICMP unreachables

access-list outside_access_in line 6 extended permit icmp any any unreachable

access-list outside_access_in line 7 remark Permit ICMP time-exceeded

access-list outside_access_in line 8 extended permit icmp any any time-exceeded

This all worked fine before the upgrade, where we were previously running 6.3(3). Now after the upgrade, traceroutes and MTR's from *nix or Windows no longer work. I have another PIX running 6.3(3) in parallel that still works fine.

Is this a bug in the new 7.0 software? Or is there something new I need to enable to get this working with 7.0?

Thanks,

-ryan.

0 Helpful
2 Replies 2

bphan
Level 1
Level 1

‎04-27-2005 11:10 PM

Hello Ryan:

Have you tried enabling inspection for ICMP and see if that works?

Please also upload your 7.0 config for analysis.

See release notes for PIX 7.0 code below as regards to ICMP inspection.

----

Version 7.0(1) introduces an ICMP inspection engine. This engine enables secure usage of

ICMP, by providing stateful tracking for ICMP connections, matching echo requests with

replies. Additional controls are available for ICMP error messages, which are only

permitted for established connections.

Use the inspect icmp and the inspect icmp error commands to configure the ICMP inspection

engine.

For a complete description of the command syntax, see the Cisco PIX Security Appliance Command

Reference.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186

a00803f0f4c.html

Command reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer

ence_chapter09186a00803dfa9b.html

Thanks,

Binh

0 Helpful

rwhite
Level 1
Level 1
In response to bphan

‎04-28-2005 08:31 AM

Thanks Binh, looks like it's fixed now. I indeed had to enable "inspect icmp error" to get traceroute's working again.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card