Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
794
Views
0
Helpful
3
Replies

traceroute through PIX 525

ciscokrishna
Level 1
Level 1

‎03-20-2008 01:00 AM - edited ‎03-11-2019 05:20 AM

Greetings,

Am running a Cisco PIX 525 with OS v7.2. I am trying to enable traceroute through PIX. I already have the below config on my firewall for allowing ICMP replies from untrusted i/f.

access-list xxxx extended permit icmp any any echo-reply

access-list xxxx extended permit icmp any any unreachable

access-list xxxx extended permit icmp any any time-exceeded

I want to allow these replies from anyone on the untrusted i/f, meaning I don't want to control my users to traceroute only some destinations. At the same time, I am worried that anyone can send a crafted echo-reply flood packet(s) to my network.

Is there any other secured way of allowing ICMP replies into my network? (No suggestions of H/W upgrade please. Planning to replace this PIX with a netscreen if this is the only way PIX can work.)

Suggestions are appreciated.

Thanks,

Krishna, CISSP, CCSP

Labels:
0 Helpful
3 Replies 3

abinjola
Cisco Employee
Cisco Employee

‎03-20-2008 07:11 AM

enable inspect icmp and incpect icmp error in global policy

0 Helpful

ciscokrishna
Level 1
Level 1
In response to abinjola

‎03-27-2008 02:09 AM

i already have inspect icmp on my PIX.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card