Pix - performing traceroute command

Discussion in 'Cisco' started by Andrew Hodgson, May 8, 2007.

  1. Hi,

    I have the following setup:

    PIX/ASA firewall on public IP address - shielding several other public
    addresses. Gateway is through another subnet, which has a router to
    the outside.

    In the former firewall, I could do the following:

    traceroute ping.aaisp.net.uk:
    1 pippin.hodgsonfamily.org (IP of firewall)
    2 merry.hodgsonfamily.org (ip of router)
    3 Router belonging to the ISP.

    I have enabled the inspect ICMP command in the software, and can ping
    to outside hosts, but traceroutes fail at the first hop (timed-out).

    Any suggestions?
    Andrew Hodgson, May 8, 2007
    1. Advertisements

  2. allow inbound ICMP (permit icmp ACL and access-group) and check your log

    Martin Bilgrav, May 8, 2007
    1. Advertisements

  3. Allow icmp unreachable, time-out, parameter-problem, source-quench, and some
    necessary types more on the outside interface. Newer versions should contain
    a icmp traceroute option. But notice, that denying icmp is a excellent way
    to kill a lot of other IP based protocols in several corner cases.
    Lutz Donnerhacke, May 8, 2007
  4. I thought this was what the inspect icmp was going to do - it does it
    for pings - allows inbound connections on an outbound request to that

    Andrew Hodgson, May 10, 2007
  5. It seems not enough. Source-Quench, time-out, Unreachable, Parameter-Problem
    should be allowed too. inspect icmp checks the content of the icmp payload
    to detect a known flow.
    Lutz Donnerhacke, May 11, 2007
  6. Source-Quench is unauthenticated, and could be used as part of
    a Denial of Service attack.
    Walter Roberson, May 11, 2007
  7. A lot of useful communication is not authenticated in the internet.
    Lutz Donnerhacke, May 11, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.