Traceroute and pix 501

Discussion in 'Cisco' started by Mr Ping, Nov 24, 2004.

  1. Mr Ping

    Mr Ping Guest

    Hi!

    My traceroute from my freebsd is not working inside to --> outside.
    I have try to add this to my config.

    access-list inside_access_in permit icmp any any

    access-group inside_access_in in interface inside

    Any sugestion, for more config?

    Regards Jan
     
    Mr Ping, Nov 24, 2004
    #1
    1. Advertisements

  2. Mr Ping

    Chris Guest

    Do you allow icmp in from the outside. It's more likely that the problem is
    not the outbound icmp but the replies from the other end getting back in.

    Chris.
     
    Chris, Nov 24, 2004
    #2
    1. Advertisements

  3. :My traceroute from my freebsd is not working inside to --> outside.
    :I have try to add this to my config.

    :access-list inside_access_in permit icmp any any

    :access-group inside_access_in in interface inside

    :Any sugestion, for more config?

    Unix traceroute usually uses udp packets with TTL set fairly low;
    the program watches to see which remote system sends back the
    icmp time-exceeded messages.

    The exact udp port range used to go out varies from implimentation to
    implimentation; starting somewhere near 33400 is fairly common. It can
    vary from traceroute to traceroute, and it usually sweeps a range of
    ports as it increases the TTL.

    Windows traceroute uses icmp as I recall, but unix usually defaults to udp.
     
    Walter Roberson, Nov 24, 2004
    #3
  4. Mr Ping

    Mr Ping Guest

    Do you allow icmp in from the outside. It's more likely that the
    Thanks Chris!

    If i open access-list outside_access_in permit icmp any any
    it will work.

    I hade before only
    access-list outside_access_in permit icmp any any echo-reply
    access-list outside_access_in permit icmp any any echo-reply

    But is it safe to open icmp any any ?

    //Jan
     
    Mr Ping, Nov 24, 2004
    #4
  5. Mr Ping

    John Smith Guest

    you need to use the 'icmp' command...
    from the text:

    icmp permit|deny src_addr src_mask [icmp-type] if_name
     
    John Smith, Nov 24, 2004
    #5
  6. Mr Ping

    John Smith Guest

    scratch that last message of mine. i didn't realize you were trying to ping
    THROUGH the pix..and not TO the pix..

     
    John Smith, Nov 24, 2004
    #6
  7. :If i open access-list outside_access_in permit icmp any any
    :it will work.

    :I hade before only
    :access-list outside_access_in permit icmp any any echo-reply
    :access-list outside_access_in permit icmp any any echo-reply

    ? I do not see a difference between those two lines?

    :But is it safe to open icmp any any ?

    No! You risk someone sending you an icmp network-redirect and
    thereby having your messages to (say) your bank be directed to their
    bank-mock-up site.

    What you want back when you are doing a traceroute is icmp
    time-exceeded messages. It wouldn't entirely surprise me if someone
    found an exploit using forged time-exceeded messages, but I am not
    aware of anyone having done so.
     
    Walter Roberson, Nov 24, 2004
    #7
  8. Mr Ping

    Mr Ping Guest

    I hade before only
    Sorry my old config was:
    access-list outside_access_in permit icmp any any echo
    access-list outside_access_in permit icmp any any unreachable
    So do you have any susgestion for a config?

    //Jan
     
    Mr Ping, Nov 24, 2004
    #8
  9. Mr Ping

    Mr Ping Guest

    Hi again!

    Will this be safe?

    access-list outside_access_in permit icmp any any time-exceeded
    access-list outside_access_in permit icmp any any echo-reply

    Or should i remove the any any echo-reply ?

    //Jan
     
    Mr Ping, Nov 24, 2004
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.