Linux doesnt ping or traceroutes my PIX 506e

Unanswered Question
Oct 22nd, 2007

Hello,

I have a problem with PIX 506e, it is configured to allow ping and traceroute to the firewalls external address,(static address from an ISP) it works fine from a windows computer but a computer running linux does not traceroutes my PIX, it comes one step in front of my IP address but doesn't finishis on my static IP it displayes *** for 20 hops and finishis without reaching my IP. ping works just fine.I allowed traceroute, echo, time exceded and unreachable on ICMP

I even tried allowing any icmp packets from outside to inside and placing access rules to it and still no change. Is there something that Linux needs to do for traceroute that is different from windows computers?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.

The difference is that Unix/Linux `traceroute` uses UDP (User Datagram Protocol) packets to a random high port number, while Microsoft Windows uses ICMP (Internet Control Message Protocol) packets. You need to allow UDP packets in the destination port range of 33434 to 33600 to the PIX's outside address from your inside hosts.

soulmaris_79 Mon, 10/22/2007 - 07:06

Heloo

I need to allow that I can be tracerouted from any point on internet to my firewall's eksternal (static address).

soulmaris_79 Tue, 10/23/2007 - 04:21
soulmaris_79 Wed, 10/24/2007 - 06:17

Here is result of commands show access-list & show access-group. Can you figure it out? Is anything missing?

thanks

Result of firewall command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

access-list inside_outbound_nat0_acl; 1 elements

access-list inside_outbound_nat0_acl line 1 permit ip any x.x.x.x x.x.x.x (hitcnt=0)

access-list outside_access_in; 10 elements

access-list outside_access_in line 1 permit udp host x.x.x.x host x.x.x.x range 33400 33600 (hitcnt=0)

access-list outside_access_in line 2 permit icmp host x.x.x.x host x.x.x.x echo-reply (hitcnt=0)

access-list outside_access_in line 3 permit udp host x.x.x.x object-group TCP-UDP host x.x.x.x object-group TCP-UDP

access-list outside_access_in line 3 permit udp host x.x.x.x eq echo host x.x.x.x eq echo (hitcnt=0)

access-list outside_access_in line 3 permit udp host x.x.x.x eq echo host x.x.x.x range 33400 33600 (hitcnt=0)

access-list outside_access_in line 3 permit udp host x.x.x.x range 33400 33600 host x.x.x.x eq echo (hitcnt=0)

access-list outside_access_in line 3 permit udp host x.x.x.x range 33400 33600 host x.x.x.x range 33400 33600 (hitcnt=0)

access-list outside_access_in line 4 permit udp host x.x.x.x host x.x.x.x (hitcnt=0)

access-list outside_access_in line 5 permit udp host x.x.x.x eq echo host x.x.x.x eq echo (hitcnt=0)

access-list outside_access_in line 6 permit tcp host x.x.x.x eq echo host x.x.x.x eq echo (hitcnt=0)

access-list outside_access_in line 7 permit icmp host x.x.x.x host x.x.x.x traceroute (hitcnt=0)

access-list inside_access_in; 7 elements

access-list inside_access_in line 1 permit icmp any any (hitcnt=136)

access-list inside_access_in line 2 permit icmp any any traceroute (hitcnt=0)

access-list inside_access_in line 3 permit tcp any any (hitcnt=89840)

access-list inside_access_in line 4 permit udp interface inside host x.x.x.x (hitcnt=0)

access-list inside_access_in line 5 permit tcp interface inside eq echo host x.x.x.x eq echo (hitcnt=0)

access-list inside_access_in line 6 permit udp interface inside eq echo host x.x.x.x eq echo (hitcnt=0)

access-list inside_access_in line 7 permit icmp interface inside host x.x.x.x traceroute (hitcnt=0)

Result of firewall command: "show access-group"

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

soulmaris_79 Thu, 10/25/2007 - 03:23

Hello,

I read so much of documentation on tracerout and ping that I stumbled upon an debate on one forum that said next: ......" A PIX or FWSM does not decrease the TTL of traffic passing through it, even, though it is a Layer3 device. Therefore, they NEVER show up in traceroutes.

Recently we discussed this behavior with the TAC. The TAC stated that this is

intended and they do not want to implement TTL decreasing in the (near) future"

.......If this is true: I can only use command: " traceroute -I " which in Linux generates ICMP Echo Reply instead of UDP's ICMP-port-unreachable. And this way this works. Do you have some comment on this issue?

Actions

This Discussion