10-22-2007 02:12 AM - edited 03-11-2019 04:28 AM
Hello,
I have a problem with PIX 506e, it is configured to allow ping and traceroute to the firewalls external address,(static address from an ISP) it works fine from a windows computer but a computer running linux does not traceroutes my PIX, it comes one step in front of my IP address but doesn't finishis on my static IP it displayes *** for 20 hops and finishis without reaching my IP. ping works just fine.I allowed traceroute, echo, time exceded and unreachable on ICMP
I even tried allowing any icmp packets from outside to inside and placing access rules to it and still no change. Is there something that Linux needs to do for traceroute that is different from windows computers?
10-22-2007 05:10 AM
The difference is that Unix/Linux `traceroute` uses UDP (User Datagram Protocol) packets to a random high port number, while Microsoft Windows uses ICMP (Internet Control Message Protocol) packets. You need to allow UDP packets in the destination port range of 33434 to 33600 to the PIX's outside address from your inside hosts.
10-22-2007 07:06 AM
Heloo
I need to allow that I can be tracerouted from any point on internet to my firewall's eksternal (static address).
10-22-2007 07:21 AM
Just add an ACL entry to your outside interface like so:
access-list permit udp any host
10-23-2007 04:21 AM
Hello,
I made access list like this:
access-list outside_permit_in permit udp any host
and still traceroute doesn't work from linux is there something that is related to the ACL like icmp roules or some other ACL with UDP permisions that I can use to solve this problem. MANY THANKS TO noran01@icansp.com FOR HIS VALUABLE ADVICES SO FAR!!!
10-23-2007 01:07 PM
no problem...thats what I'm here for. I was playing with this a little and also noticed my linux client is sending out icmp ttl messages for every hop. Try enabling ICMP directly to the outside firewall address as well. If it works, we can tighten it up.
10-24-2007 06:17 AM
Here is result of commands show access-list & show access-group. Can you figure it out? Is anything missing?
thanks
Result of firewall command: "show access-list"
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any x.x.x.x x.x.x.x (hitcnt=0)
access-list outside_access_in; 10 elements
access-list outside_access_in line 1 permit udp host x.x.x.x host x.x.x.x range 33400 33600 (hitcnt=0)
access-list outside_access_in line 2 permit icmp host x.x.x.x host x.x.x.x echo-reply (hitcnt=0)
access-list outside_access_in line 3 permit udp host x.x.x.x object-group TCP-UDP host x.x.x.x object-group TCP-UDP
access-list outside_access_in line 3 permit udp host x.x.x.x eq echo host x.x.x.x eq echo (hitcnt=0)
access-list outside_access_in line 3 permit udp host x.x.x.x eq echo host x.x.x.x range 33400 33600 (hitcnt=0)
access-list outside_access_in line 3 permit udp host x.x.x.x range 33400 33600 host x.x.x.x eq echo (hitcnt=0)
access-list outside_access_in line 3 permit udp host x.x.x.x range 33400 33600 host x.x.x.x range 33400 33600 (hitcnt=0)
access-list outside_access_in line 4 permit udp host x.x.x.x host x.x.x.x (hitcnt=0)
access-list outside_access_in line 5 permit udp host x.x.x.x eq echo host x.x.x.x eq echo (hitcnt=0)
access-list outside_access_in line 6 permit tcp host x.x.x.x eq echo host x.x.x.x eq echo (hitcnt=0)
access-list outside_access_in line 7 permit icmp host x.x.x.x host x.x.x.x traceroute (hitcnt=0)
access-list inside_access_in; 7 elements
access-list inside_access_in line 1 permit icmp any any (hitcnt=136)
access-list inside_access_in line 2 permit icmp any any traceroute (hitcnt=0)
access-list inside_access_in line 3 permit tcp any any (hitcnt=89840)
access-list inside_access_in line 4 permit udp interface inside host x.x.x.x (hitcnt=0)
access-list inside_access_in line 5 permit tcp interface inside eq echo host x.x.x.x eq echo (hitcnt=0)
access-list inside_access_in line 6 permit udp interface inside eq echo host x.x.x.x eq echo (hitcnt=0)
access-list inside_access_in line 7 permit icmp interface inside host x.x.x.x traceroute (hitcnt=0)
Result of firewall command: "show access-group"
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
10-25-2007 03:23 AM
Hello,
I read so much of documentation on tracerout and ping that I stumbled upon an debate on one forum that said next: ......" A PIX or FWSM does not decrease the TTL of traffic passing through it, even, though it is a Layer3 device. Therefore, they NEVER show up in traceroutes.
Recently we discussed this behavior with the TAC. The TAC stated that this is
intended and they do not want to implement TTL decreasing in the (near) future"
.......If this is true: I can only use command: " traceroute -I
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: