<div>
ICMP needs to be enabled inbound.
</div>


<div>
Specifically ICMP Type 8 (echo-request) and 11 (time-exceeded)<br />
<br />
Cisco guide on enabling pings:<br />
<a href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml" rel="ugc">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml</a><br />
<br />

</div>


Specifically ICMP Type 8 (echo-request) and 11 (time-exceeded)

Cisco guide on enabling pings:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml [http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml]



<div>
Great, that works!! &nbsp;Thanks
</div>


<div>
<div class="content wysiwyg-content">
I have &nbsp;PIX with three interfaces. &nbsp;The outside interface is connected to a cable modem, the dmz interface is connected to network 192.168.1.0 and the inside interface is connected to network 192.168.128.0. &nbsp;My security policy is simple, unrestricted outbound access from both dmz and inside. &nbsp;No access from outside to inside. Limited access from outside to dmz (only dns and http). &nbsp;It's all working pretty good except I am unable to successfully initiate traceroute from a host on either the inside or dmz networks to a host on the Internet. &nbsp;It seems I need to permit something inbound that I am not currently permitting. &nbsp;Do I need to modify an ACL in some fashion?
</div>
</div>


I have  PIX with three interfaces.  The outside interface is connected to a cable modem, the dmz interface is connected to network 192.168.1.0 and the inside interface is connected to network 192.168.128.0.  My security policy is simple, unrestricted outbound access from both dmz and inside.  No access from outside to inside. Limited access from outside to dmz (only dns and http).  It's all working pretty good except I am unable to successfully initiate traceroute from a host on either the inside or dmz networks to a host on the Internet.  It seems I need to permit something inbound that I am not currently permitting.  Do I need to modify an ACL in some fashion?

Cisco PIX firewall  --  how can I get traceroute to function?

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).