Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1216
Views
6
Helpful
4
Replies

configuring FWSM to reply from a tracert

t.alfano
Level 1
Level 1

‎03-27-2006 05:06 PM - edited ‎03-09-2019 02:24 PM

How do I get the fwsm or pix to reply with it's ttl? Ex. Linux server traces to any other network, default route on server is FWSM interface. That IP does not reply. I am having the same issue on my PIX devices. Can I turn this feature that hides the PIX off? Thank you in advance,

Labels:
0 Helpful
4 Replies 4

Patrick Iseli
Level 7
Level 7

‎03-27-2006 08:59 PM

Ping is not a stateful protocol. To allow pings from the inside to the outside interface you need to create an access-list. If you want to ping the same interface that you are physicly connected you need to configure the "icmp" command.

example:

See: Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

examples:

Traveroute

Microsoft:

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-list 101 permit icmp any host YourPublicIP echo-reply

access-group 101 in interface outside

UNIX:

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-group 101 in interface outside

ICMP command example:

icmp deny any outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit host 192.168.1.x1 echo inside

icmp permit host 192.168.1.x2 echo inside

icmp permit host 192.168.1.20 echo inside

icmp permit host 192.168.1.40 echo inside

icmp permit host 192.168.1.100 echo inside

sincerely

Patrick

t.alfano
Level 1
Level 1
In response to Patrick Iseli

‎03-28-2006 03:31 PM

Hey Patrick,

I really do appreciate you taking the time to respond. I was able to ping / trace through the fwsm, but I don't see it in a trace. Our Linux team is trying to configure "netdump" (a very low level tool to get off a type of "crashinfo" for Linux systems). It uses the ttl to determine the MAC of the nearest GW. Works on a router, not on a PIX or FWSM. You may have answered my question on the very first line by telling me that it isn't a stateful protocol, but is there any way to configure it to reply. Sorry for the lengthy reply, I am starting to think this is not a configurable option.

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to t.alfano

‎03-28-2006 09:12 PM

Check the command reference for the < ICMP > command and find the icmp paramaeter that you need.

Try the following ones:

icmp permit any inside

# or

icmp permit any time-exceeded inside

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_ref/gl.htm#wp1026574

sincerely

Patrick

t.alfano
Level 1
Level 1
In response to Patrick Iseli

‎03-29-2006 08:51 AM

Hey Patrick,

Thank you once again. I do have ICMP any any on all of the interfaces. None of my firewalls are actually showing the interface as a hop in the trace.

Thank you again for the effort. I would have suggested the same thing. Does this work on your PIX or fwsm(s)?

I am running 6.3(4),(5) on the PIX and FWSM Firewall Version 2.3(3).

Thanks again Patrick for your time, I suspect this is a "security feature" that can't be configured.

0 Helpful
Customers Also Viewed These Support Documents