cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
671
Views
0
Helpful
3
Replies

traceroute through PIX 525

ciscokrishna
Level 1
Level 1

Greetings,

Am running a Cisco PIX 525 with OS v7.2. I am trying to enable traceroute through PIX. I already have the below config on my firewall for allowing ICMP replies from untrusted i/f.

access-list xxxx extended permit icmp any any echo-reply

access-list xxxx extended permit icmp any any unreachable

access-list xxxx extended permit icmp any any time-exceeded

I want to allow these replies from anyone on the untrusted i/f, meaning I don't want to control my users to traceroute only some destinations. At the same time, I am worried that anyone can send a crafted echo-reply flood packet(s) to my network.

Is there any other secured way of allowing ICMP replies into my network? (No suggestions of H/W upgrade please. Planning to replace this PIX with a netscreen if this is the only way PIX can work.)

Suggestions are appreciated.

Thanks,

Krishna, CISSP, CCSP

3 Replies 3

abinjola
Cisco Employee
Cisco Employee

enable inspect icmp and incpect icmp error in global policy

i already have inspect icmp on my PIX.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: