Solved

Cisco PIX firewall  --  how can I get traceroute to function?

Posted on 2008-10-20
4
1,557 Views
Last Modified: 2012-05-05
I have  PIX with three interfaces.  The outside interface is connected to a cable modem, the dmz interface is connected to network 192.168.1.0 and the inside interface is connected to network 192.168.128.0.  My security policy is simple, unrestricted outbound access from both dmz and inside.  No access from outside to inside. Limited access from outside to dmz (only dns and http).  It's all working pretty good except I am unable to successfully initiate traceroute from a host on either the inside or dmz networks to a host on the Internet.  It seems I need to permit something inbound that I am not currently permitting.  Do I need to modify an ACL in some fashion?
0
Comment
Question by:w6hr
  • 3
4 Comments
 
LVL 10

Expert Comment

by:kyleb84
ID: 22764620
ICMP needs to be enabled inbound.
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22764640
Specifically ICMP Type 8 (echo-request) and 11 (time-exceeded)

Cisco guide on enabling pings:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

0
 

Author Comment

by:w6hr
ID: 22764689
Great, that works!!  Thanks
0
 
LVL 10

Accepted Solution

by:
kyleb84 earned 500 total points
ID: 22764717
w6hr,

Please close this question properly by choosing Yes to the "Is this what you were looking for?" and grading my answer.

Cheers.
KB.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question