Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1192
Views
10
Helpful
5
Replies

pix 7.0 traceroute problems

Go to solution
wkw
Level 1
Level 1

‎07-18-2005 06:58 PM - edited ‎02-21-2020 12:16 AM

Hiya,

I've upgraded to pix v7.0(1) and after that, i've been having this problem of being unable to traceroute out of my WAN connection. The pix hooks up to the internet, and when i do a ping from inside to outside external ip addresses, it works, but traceroute will return unreachable after the pix hop. Traceroute to the border router immediately after the pix works. Checking at the logs indicated ICMP Time exceeded packet logs:

%PIX-4-400015: IDS:2005 ICMP time exceeded from xxx to yyy outside

I have already explicitly allow access-list out_in line 12 extended permit icmp any xxx 255.255.255.224 time-exceeded

to allow time-exceeded icmp packets to come in, but to no avail. Any suggestions? Inspect icmp is on as well

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rsmith
Level 6
Level 6
In response to wkw

‎07-26-2005 07:12 AM

Straight from Cisco TAC:

To permit traceroute

through PIX under 7.0 code, we need to add "inspect icmp error" in PIX configuration. Please

implement following commands in PIX configuration mode-

--> policy-map global_policy

--> class inspection_default

--> inspect icmp error

--> write mem

Hope this works for you also!

View solution in original post

5 Replies 5

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎07-18-2005 11:00 PM

The log message you're seeing is a PIX IDS message specifically, so you have the "ip audit" functionality enabled within the PIX config. This may be configured to drop signature 2005 which is a time-exceeded message.

Try something like:

ip audit signature 2005 disable

and see if that helps.

Signature 2005 is an Informational level alert only (see http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/syslog/saslmsgs.htm#wp2266061), so this might imply that you have enabled the dropping of informational level alerts with the following:

ip audit info action alarm drop

where the default for this type of alert is only to alert on them. See http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/gl.htm#wp1411995 for details.

0 Helpful

Go to solution
wkw
Level 1
Level 1
In response to gfullage

‎07-21-2005 11:24 PM

I tried what you advised, unfortunately it did not work. Here's a sample of a traceroute in my case:

Tracing route to www.l.google.com [64.233.189.104]

over a maximum of 30 hops:

1 2 ms 1 ms 1 ms 172.18.xxx.xxx

2 1 ms 1 ms 1 ms 172.16.xxx.xxx -> next hope is firewall and then ISP router

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

11 * * * Request timed out.

12 * * * Request timed out.

13 * * * Request timed out.

14 * * * Request timed out.

15 161 ms 162 ms 163 ms 64.233.189.104

Trace complete.

0 Helpful

Go to solution
rsmith
Level 6
Level 6
In response to wkw

‎07-26-2005 07:12 AM

Straight from Cisco TAC:

To permit traceroute

through PIX under 7.0 code, we need to add "inspect icmp error" in PIX configuration. Please

implement following commands in PIX configuration mode-

--> policy-map global_policy

--> class inspection_default

--> inspect icmp error

--> write mem

Hope this works for you also!

Go to solution
wkw
Level 1
Level 1
In response to rsmith

‎07-26-2005 04:34 PM

Cool! Your tip worked! Thanks a lot!

0 Helpful

Go to solution
jlphillips41
Community Member
In response to rsmith

‎08-04-2005 06:48 AM

Good reply! Brief, concise, not wordy or argumentative.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card