Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
0
Helpful
3
Replies

PIX & icmp unreachables

jjoensen
Level 1
Level 1

‎08-12-2004 01:30 AM - edited ‎02-20-2020 11:33 PM

I have a customer with suspected Path MTU Discovery problems over a PIX vpn tunnel. I have no access to the pix'es, but does PIX default generate and send icmp type 3 code 4 messages (Fragmentation Needed and Don't Fragment was Set) ?

If yes, will an acl denying icmp filter it ?

If no, how do you turn it on - globally or pr. interface ?

Thank you

0 Helpful
3 Replies 3

mostiguy
Level 6
Level 6

‎08-12-2004 04:50 AM

ACls don't apply to the pix - only the traffic the flow through it. Use the ICMP command to permit ICMP traffic to the pix interfaces:

icmp permit 0.0.0.0 0.0.0.0 unreachable outside

will allow unreachables to touch the outside pix interface, for example

0 Helpful

jjoensen
Level 1
Level 1
In response to mostiguy

‎08-12-2004 05:20 AM

OK, but what about the pix itself - will it default issue an icmp unreachable message to a host trying to do MTU path discovery over the vpn tunnel ?

thanks

0 Helpful

ovt
Level 4
Level 4
In response to jjoensen

‎08-12-2004 09:01 AM

Yes, if the PIX is the tunnel endpoint he should participate in PMTUD and log 602102. Look at 602101 also:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm#wp1056796

Another interesting question: what will happen if we have a network with lower MTU behind the PIX inside interface? So far as I know the only ICMP messages that are PAT'ed by PIX are echo and echo-replay :) But I might be wrong.

Oleg Tipisov,

REDCENTER,

Moscow

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card