Traceroute

stuartcox79 · ‎10-20-2010

Hello,

I am trying to allow FWSMs and PIXs to appear in traceroutes. It works on an ASA pair that I manage, but I have no luck with the FWSMs and the PIXs.

The only command that the ASAs have that the other firewalls don't is "set connection decrement-ttl".

All of the interface's ACLs have "icmp any any echo-reply", "icmp any any time-exceeded ", and "icmp any any unreachable".

Also "icmp permit any interface name" is configured for all interfaces.

The only difference is there is no option for "set connection decrement-ttl" on the FWSM/PIXs in their global policy-maps.

FWSM Firewall Version 4.0(12) and Cisco PIX Security Appliance Software Version 7.0(7)

Thanks,

Any help would be much appreciated.

Maykol Rojas · ‎10-20-2010

Hi Stuart,

Can you paste the config and tell me what is the model of the Pix firewall?

Cheers

Mike

stuartcox79 · ‎10-21-2010

I can't post the config, but I have all the relevant parts of the config in the previous post.

The PIXs are 535s and the FWSMs are WS-SVC-FWM-1s.

Panos Kampanakis · ‎10-21-2010

The firewall will not respond how in traceroutes unless you have the decrement-ttl option.

The ASA can do that, but you can't fix it with the PIX/FWSM because they will not decrement the ttl and thus will "hide" from the traceroute.

I hope it is clear.

PK