Question

Cannot Traceroute to internet via Cisco FWSM/PIX

Asked by: Pocketkings

Unable to get traceroute out via our cisco Firewall Services Module (FWSM).

VLAN clients on FWSM cannot trace to the internet.    FWSM in on backend, then there is a MSFC with a connection to the internet.  However from MSFC we can get the traceroute to work without any issues.

We have permit ICMP any any configured on the FWSM, we also have fixup configured for ICMP.    On the internet interface on MSFC there is an ACL which we have also removed, but traceroute still does not work properly.  The only thing we have noticed is that last hop always shows up, but all prior hops are ***

Any ideas?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-09-04 at 07:29:47ID23702741
Topics

Cisco PIX Firewall

,

Internet Control Message Protocol (ICMP)

,

Network Routers

Participating Experts
1
Points
500
Comments
12

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Cisco PIX 525 ACL
    Very basic concern here... I am ripping apart the following PIX 525 ACL and I need a sanity check. ACCESS-LIST PERMIT ALL PERMIT IP ANY ANY This is the first ACL in the configuration therefore it is the first criteria an inbound/outbound packet is checked against. Questi...
  2. Cisco VLAN creation and ACLs
    Im working on setting up a terminal server, and I want to isolate it as much as I can from the rest of my network. I have several ways of doing this, but for now I am trying to create a static VLAN on my 6500 switch that I can control with ACL's. And therin is my problem :) I...
  3. Cisco PIX fixup protocol
    Hi Experts, What is the purpose of fixup protocols in the Cisco PIX 506E? Are their any side effects to enabling or disabling the individual protocols? I have problems sending out emails when I have SMTP fixup enabled. However, I'd like to know the effects of fixup before I...
  4. Pix 515E and ICMP
    What is the proper way to allow icmp messages from my network through a Cisco Pix 515e, without allowing it from the outside in. I have looked at http://www.experts-exchange.com/Security/Firewalls/Q_21679742.html and http://www.experts-exchange.com/Networking/Microsoft_Netw...
  5. Cisco PIX Denied ICMP
    Hi, Running a Cisco PIX 515e only two interfaces, standard config is as much, outside, public IP for internet, inside is running 172.18.0.0 address range. Cannot clear an annoying message Denied ICMP type=8 code=0 from 172.18.x.x on interface inside. I don't understand w...
  6. ICMP On Cisco
    When I enable ICMP on our vlan on our router we lose connection to our router?

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: Voltz-dkPosted on 2008-09-04 at 07:55:47ID: 22388113

And the ICMP any any you have allowed is from outside?

You need to allow time-exceeded to come back in, and fixup (in versions I've tested) doesn't do that.

 

by: PocketkingsPosted on 2008-09-04 at 08:47:08ID: 22388926

yes.  icmp permit any outside (actually configured on all interfaces).  the FWSM OS is 3.1 (4).   Technically not using fixup.  using policy-map global_policy / class inspection_default / inspect icmp * inspect icmp error.  Its really wierd.  I can trace to addresses on the MSFC but nothing outside of our network.   See trace below.  Client on FWSM vlan traceroute to the internet.

Tracing route to ns1.ns.esat.net [192.111.39.1]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     1 ms     2 ms     1 ms  ns1.ns.esat.net [192.111.39.1]

Trace complete.





 

by: Voltz-dkPosted on 2008-09-04 at 08:59:16ID: 22389123

inspect/fixup - Ya, it does the same as fixup though :)

whoa..

icmp does nothing for traffic through the FW, that only has to with traffic TO the FW.  You need to have this opened on the access-list bound to the outside interface.
Now assuming that it's called "fromoutside", you need an entry a la:

access-list fromoutside permit icmp any any time-exceeded

 

by: PocketkingsPosted on 2008-09-04 at 09:27:40ID: 22389491

Yeah.  I have something simlar, but not the same

I have the following

show access-list

access-list outside line 23 extended permit icmp any any (hitcnt=93769538) 0xd2e833c
access-list outside line 97 extended permit icmp any any time-exceeded (hitcnt=0) 0x12c85f0a

I have tried a capture and get the following

Capture for internal interface

 256: 15:14:10.1001339208 802.1Q vlan#407 P0 10.50.7.58 > 192.111.39.1: icmp: echo request
 257: 15:14:14.1001343638 802.1Q vlan#407 P0 10.50.7.58 > 192.111.39.1: icmp: echo request
 258: 15:14:19.1001348138 802.1Q vlan#407 P0 10.50.7.58 > 192.111.39.1: icmp: echo request
 259: 15:14:23.1001352638 802.1Q vlan#407 P0 10.50.7.58 > 192.111.39.1: icmp: echo request
 260: 15:14:28.1001357138 802.1Q vlan#407 P0 10.50.7.58 > 192.111.39.1: icmp: echo request
 261: 15:14:32.1001361638 802.1Q vlan#407 P0 10.50.7.58 > 192.111.39.1: icmp: echo request
 262: 15:14:37.1001366138 802.1Q vlan#407 P0 10.50.7.58 > 192.111.39.1: icmp: echo request
 263: 15:14:41.1001370638 802.1Q vlan#407 P0 10.50.7.58 > 192.111.39.1: icmp: echo request
 264: 15:14:46.1001375138 802.1Q vlan#407 P0 10.50.7.58 > 192.111.39.1: icmp: echo request
 265: 15:14:50.1001379638 802.1Q vlan#407 P0 10.50.7.58 > 192.111.39.1: icmp: echo request
 266: 15:14:50.1001379638 802.1Q vlan#407 P0 192.111.39.1 > 10.50.7.58: icmp: echo reply
 267: 15:14:50.1001379638 802.1Q vlan#407 P0 10.50.7.58 > 192.111.39.1: icmp: echo request
 268: 15:14:50.1001379638 802.1Q vlan#407 P0 192.111.39.1 > 10.50.7.58: icmp: echo reply
 269: 15:14:50.1001379648 802.1Q vlan#407 P0 10.50.7.58 > 192.111.39.1: icmp: echo request
 270: 15:14:50.1001379648 802.1Q vlan#407 P0 192.111.39.1 > 10.50.7.58: icmp: echo reply

Capture on external interface  

751: 16:21:01.1091764178 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.20387:  udp 132
 752: 16:21:01.1091764178 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.20387:  udp 132
 753: 16:21:01.1091764178 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.20387:  udp 109
 754: 16:21:01.1091764178 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.51598:  udp 131
 755: 16:21:01.1091764188 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.51598:  udp 63
 756: 16:21:01.1091764188 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.51598:  udp 99
 757: 16:21:01.1091764188 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.51598:  udp 99
 758: 16:21:01.1091764188 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.51598:  udp 100
 759: 16:21:01.1091764188 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.51598:  udp 129
 760: 16:21:01.1091764198 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.20387:  udp 499
 761: 16:21:01.1091764198 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.20387:  udp 98
 762: 16:21:01.1091764198 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.28580: S 719115094:719115094(0) ack 2164322055 win 57344 <mss 1460>
 763: 16:21:01.1091764208 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.28580: P 719116475:719117012(537) ack 2164322103 win 57960
 764: 16:21:01.1091764208 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.28580: . 719115095:719116475(1380) ack 2164322103 win 57960
 765: 16:21:02.1091764268 802.1Q vlan#400 P0 192.111.39.1 > 193.95.179.200: icmp: echo reply
 766: 16:21:02.1091764268 802.1Q vlan#400 P0 192.111.39.1 > 193.95.179.200: icmp: echo reply
 767: 16:21:02.1091764268 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.51598:  udp 314
 768: 16:21:02.1091764278 802.1Q vlan#400 P0 192.111.39.1 > 193.95.179.200: icmp: echo reply
 769: 16:21:02.1091764278 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.51598:  udp 344
 770: 16:21:02.1091764488 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.51598:  udp 139
 771: 16:21:02.1091764608 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.20387:  udp 266
 772: 16:21:02.1091764778 802.1Q vlan#400 P0 192.111.39.1.53 > 193.95.179.200.51598:  udp 459

the only thing I noticed was the MSS (1460), our MSFC was set to 1380.  I tested with changing to 1460 with no effect.    

Stumped on this one...

 

by: Voltz-dkPosted on 2008-09-04 at 09:33:25ID: 22389553

Ok, if you have already allowed ALL icmp, the time-exceeded specific one will never get hit - but things should already work then.

What parameters did you base capture on?  Destination?  Cuz we need to see the traffic from all the hops in between..  And there seems to be none in the capture.

Also, is there anything interesting in your syslogs?

 

by: PocketkingsPosted on 2008-09-04 at 10:02:59ID: 22389861

Nothing at all in the syslogs.  only set to log denied packets.    

Capture ACL

access-list CAPACL1 extended permit ip any host 192.111.39.1
access-list CAPACL1 extended permit ip host 192.111.39.1 any

Cannot be anymore specific.. 600+ busy nodes on network makes it almost impossible to read captures.

 

by: Voltz-dkPosted on 2008-09-04 at 11:57:46ID: 22391312

You got alot of icmp traffic in that?  Otherwise just capture that..

If you have too much, then maybe try to just capture specifically time-exceeded on the outside

 

by: PocketkingsPosted on 2008-09-05 at 02:13:07ID: 22396520

don't understand this.  I have an ACL on outside interface that permits ICMP time-exceeded

access-list outside extended permit icmp any any time-exceeded

This is the error logged in the capture.   193.120.xx.xx would be the first hop outside of our network

193.120.xx.xx > 193.95.179.200: icmp: time exceeded in-transit

what gives ?

 

by: PocketkingsPosted on 2008-09-05 at 03:29:23ID: 22396926

Figured this out.  Cleared Xlates and Traceroute was working like magic.  I believe the above responses would be the correct answers to a normal ICMP configuration problem on the FWSM.    

Voltz-dk.  If you can advise on how to address the xlate problem without changing timeout, you can have the points.    ( I believe the timeout is not the problem, but more likely some kind of corruption when the xlates are building)

 

by: Voltz-dkPosted on 2008-09-05 at 05:02:48ID: 22397702

I'm not sure I understand the problem now.  Do you have to repeatedly clear xlates to get it working?

 

by: PocketkingsPosted on 2008-09-05 at 05:33:04ID: 22398004

Believe this is probably something we may have to do once a week.  Have checked the Max amount of xlates used ever was 24764 ( I thought the FWSM Max is supposed to be 256k)

Not sure I understand either.  Doesn't look like we have ever reached the max number of supported xlates for our device.    Our timeout for the xlates is 24:00hrs.  I know this is quite high, but we have it set this way for a reason.   So looking beyond this, is it possible there could be some sort of corruption/misconfiguration that could create a bad xlate?

 

by: Voltz-dkPosted on 2008-09-05 at 05:52:52ID: 22398212

Ya it's possible, but not very common.  And it depends on the requirements and config.

I've only seen 1 live example, which was something like..

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
static (inside,dmz) 192.168.1.100 10.1.1.100 netmask 255.255.255.255

Normally it would work as desired, 10.1.1.100 would be NATed when going to the DMZ.  But if traffic from the DMZ accessed 10.1.1.100 instead of 192.168.1.100 a bad xlate would appear.  And now traffic from 10.1.1.100 towards the DMZ would no longer be NATed as desired for as long as the above xlate would live.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...