No traceroute since Pix upgrade to V7

Discussion in 'Cisco' started by Christoph Gartmann, Jun 21, 2005.

  1. Hello,

    Cisco PIX Security Appliance Software Version 7.0(1)3. We use NAT:
    global (outside) 1 195.37.209.97
    nat (inside) 1 10.1.0.0 255.255.0.0
    Under V6.4 host with an address 10.1.x.x were able to ping and traceroute
    to the outside world. After the upgrade to V7.0 this is no longer the case.
    Is there any special command to reenable this functionality?

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: [email protected] dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
     
    Christoph Gartmann, Jun 21, 2005
    #1
    1. Advertisements

  2. ahhh.. We are having the same problem - any solutions ?

    Best Regards
    Rasmus
     
    Rasmus Helmich, Jun 22, 2005
    #2
    1. Advertisements

  3. Christoph Gartmann

    BradReeseCom Guest

    Hi Christoph,

    Binh Hoang of Cisco Systems stated,

    "Have you tried enabling inspection for ICMP and see if that works?

    See release notes for PIX 7.0 code below as regards to ICMP inspection.


    Version 7.0(1) introduces an ICMP inspection engine. This engine
    enables secure usage of ICMP, by providing stateful tracking for ICMP
    connections, matching echo requests with replies. Additional controls
    are available for ICMP error messages, which are only permitted for
    established connections.

    Use the inspect icmp and the inspect icmp error commands to configure
    the ICMP inspection engine."

    Command reference:

    http://www.cisco.com/en/US/products...s_command_reference_book09186a0080484fe1.html

    Thanks Binh, looks like it's fixed now. I indeed had to enable "inspect
    icmp error" to get traceroute's working again.

    ----------------------------------------------

    Hope this helps.

    BradReese.Com Cisco Repair Worldwide
    1293 Hendersonville Road, Suite 17
    Asheville, North Carolina USA 28803
    Toll Free: 877-549-2680
    International: 828-277-7272
    Website: http://www.bradreese.com/cisco-big-iron-repair.htm
     
    BradReeseCom, Jun 23, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.