PIX 506 trace route not working normal

Answered Question

Hello,


Running a PIX 506 with 6.3.5 IOS


Current setup:


DSLmodem->PIX(via PPPoE)->Internal_Network


I thought I remember being able to perform a trace route from my internal clients to external IPs, but it is failing right now, except for the actual destination. here is what I mean by that:


C:\Windows\System32>tracert www.covad.net


Tracing route to www.covad.net [66.134.75.18]

over a maximum of 30 hops:


1 * * * Request timed out.

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 29 ms 28 ms 27 ms www.covad.com [66.134.75.18]


Trace complete.



This almost makes me believe its an ISP issue since I can ping any external IP fine. And since the final destination does give me data on the tracert, it seems like the PIX is functioning fine. However I am just unsure.


Is there a command I can use to do a trace route from the PIX's external interface? That way I can rule it out as the culprit. Or is there a setting on the pix to specifically allow trace routes to work seperate from PINGs (pings work fine)? I don't believe there is, but maybe I am wrong.


I do not have any ACL's applied against my internal interface. I do have the:


access-list outside_acl permit icmp any any echo-reply


command enable on the outside interface.


What am I missing? This issue is happening on all of my internal machines (a mix of XP, Vista, Server 2003...)


Thanks a lot


I really appreciate it.




Damian,


Indeed some ISP's do hide their routes for security reasons. Try adding the following ACL's to your outside interface of your PIX and see if you are still observing the same response.


access-list outside_acl permit icmp any any echo-reply

access-list outside_acl permit icmp any any time-exceeded

access-list outside_acl permit icmp any any unreachable

access-group outside_acl in interface outside


Save with - write mem and also issue clear xlate.


Hope this helps and please rate posts!


- Jay


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer

Damian,


Indeed some ISP's do hide their routes for security reasons. Try adding the following ACL's to your outside interface of your PIX and see if you are still observing the same response.


access-list outside_acl permit icmp any any echo-reply

access-list outside_acl permit icmp any any time-exceeded

access-list outside_acl permit icmp any any unreachable

access-group outside_acl in interface outside


Save with - write mem and also issue clear xlate.


Hope this helps and please rate posts!


- Jay


Actions

This Discussion